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Abstract. We propose timed (finite) automata to model the behavior of real- 
time systems over time. Our definition provides a simple, and yet powerful, way to 
annotate state-transition graphs with timing constraints using finitely many real- 
valued clocks. A timed automaton accepts timed words — infinite sequences in 
which a real-valued time of occurrence is associated with each symbol. We study 
timed automata from the perspective of formal language theory: we consider closure 
properties, decision problems, and subclasses. We consider both nondeterministic 
and deterministic transition structures, and both Biichi and Muller acceptance con- 
ditions. We show that nondeterministic timed automata are closed under union and 
intersection, but not under complementation, whereas deterministic timed Muller 
automata are closed under all Boolean operations. The main construction of the 
paper is an (PSPACE) algorithm for checking the emptiness of the language of a 
(nondeterministic) timed automaton. We also prove that the universality problem 
and the language inclusion problem are solvable only for the deterministic automata: 
both problems are undecidable (II-hard) in the nondeterministic case and PSPACE- 
complete in the deterministic case. Finally, we discuss the application of this theory 
to automatic verification of real-time requirements of finite-state systems. 
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1 Introduction 


Modal logics and w-automata for qualitative temporal reasoning about concurrent systems 
have been studied in great detail (selected references: [36, 32, 16, 28, 47, 44, 37, 11]). 
These formalisms abstract away from time, retaining only the sequencing of events. In 
the linear time model, it is assumed that an execution can be completely modeled as a 
sequence of states or system events, called an execution trace (or just trace). The behavior 
of the system is a set of such execution sequences. Since a set of sequences is a formal 
language, this leads naturally to the use of automata for the specification and verification 
of systems. When the systems are finite-state, as many are, we can use finite automata, 
leading to effective constructions and decision procedures for automatically manipulat- 
ing and analyzing system behavior. The universal acceptance of finite automata as the 
canonical model of finite-state computation can be attributed to the robustness of the 
model and the appeal of its theory. In particular, a variety of competing formalisms — 
nondeterministic Buchi automata, deterministic and nondeterministic Muller automata, 
w-regular expressions, modal formulas of (extended) temporal logic, and second-order for- 
mulas of the monadic theory of one successor (S15) — have the same expressiveness, and 
define the class of w-regular languages [7, 9, 33, 46, 42]. Consequently many verification 
theories are based on the theory of w-regular languages. 

Although the decision to abstract away from quantitative time has had many ad- 
vantages, it is ultimately counterproductive when reasoning about systems that must 
interact with physical processes; the correct functioning of the control system of airplanes 
and toasters depends crucially upon real-time considerations. We would like to be able to 
specify and verify models of real-time systems as easily as qualitative models. Our goal 
is to modify finite automata for this task and develop a theory of timed finite automata, 
similar in spirit to the theory of w-regular languages. We believe that this should be the 
first step in building theories for the real-time verification problem. 

For simplicity, we discuss models that consider executions to be infinite sequences of 
events, not states (the theory with state-based models differs only in details). Within this 
framework, it is possible to add timing to an execution trace by pairing it with a sequence 
of times, where the z’th element of the time sequence gives the time of occurrence of the 
7th event. At this point, however, a fundamental question arises: what is the nature of 
timel 


Modeling time 


One alternative, which leads to the discrete-time model, requires the time sequence to 
be a monotonically increasing sequence of integers. This model is appropriate for certain 
kinds of synchronous digital circuits, where signal changes are considered to have changed 
exactly when a clock signal arrives. One of the advantages of this model is that it can be 
transformed easily into an ordinary formal language. Each timed trace can be expanded 
into a trace where the times increase by exactly one at each step, by inserting a special 
silent event as many times as necessary between events in the original trace. Once this 
transformation has been performed, the time of each event is the same as its position, 
so the time sequence can be discarded, leaving an ordinary string. Hence, discrete time 
behaviors can be manipulated using ordinary finite automata. Of course, in physical 


processes events do not always happen at integer-valued times. The discrete-time model 
requires that continuous time be approximated by choosing some fixed quantum a priori, 
which limits the accuracy with which physical systems can be modeled. 

The fictitious-clock model is similar to the discrete time model, except that it only 
requires the sequence of integer times to be non-decreasing. The interpretation of a timed 
execution trace in this model is that events occur in the specified order at real-valued 
times, but only the (integer) readings of the actual times with respect to a digital clock 
are recorded in the trace. This model is also easily transformed into a conventional 
formal language. First, add to the set of events a new one, called tick. The untimed 
trace corresponding to a timed trace will include all of the events from the timed trace, 
in the same order, but with ¢;4, — t; number of ticks inserted between the ¿th and the 
(i+ 1)’th events (note that this number may be 0). Once again, it is conceptually simple 
to manipulate these behaviors using finite automata, but the compensating disadvantage 
is that it represents time only in an approximate sense. 

We prefer a dense-time model, in which time is a dense set, because it is a more 
natural model for physical processes operating over continuous time. In this model, the 
times of events are real numbers, which increase monotonically without bound. Dealing 
with dense time in a finite-automata framework is more difficult than the other two cases, 
because it is not obvious how to transform a set of dense-time traces into an ordinary 
formal language. Instead, we have developed a theory of timed formal languages and 
timed automata to support automated reasoning about such systems. 


Overview 


To augment finite w-automata with timing constraints, we propose the formalism of timed 
automata. Timed automata accept timed words — infinite sequences in which a real- 
valued time of occurrence is associated with each symbol. A timed automaton is a finite 
automaton with a finite set of real-valued clocks. The clocks can be reset to 0 (indepen- 
dently of each other) with the transitions of the automaton, and keep track of the time 
elapsed since the last reset. The transitions of the automaton put certain constraints on 
the clock values: a transition may be taken only if the current values of the clocks satisfy 
the associated constraints. With this mechanism we can model timing properties such 
as “the channel delivers every message within 3 to 5 time units of its receipt”. Timed 
automata can capture several interesting aspects of real-time systems: qualitative fea- 
tures such as liveness, fairness, and nondeterminism; and quantitative features such as 
periodicity, bounded response, and timing delays. 

We study timed automata from the perspective of formal language theory. We consider 
both deterministic and nondeterministic varieties, and for acceptance criteria we consider 
both Buchi and Muller conditions. We show that nondeterministic timed automata are 
closed under union and intersection, but surprisingly, not under complementation. The 
closure properties for the deterministic classes are similar to their untimed counterparts: 
deterministic timed Muller automata are closed under all Boolean operations, whereas 
deterministic timed Büchi automata are closed under only the positive Boolean operations. 
These results imply that, unlike the untimed case, deterministic timed Muller automata 
are strictly less expressive than their nondeterministic counterparts. 

We study a variety of decision problems for the different types of timed automata. The 


main positive result is an untiming construction for timed automata. Due to the real- 
valued clock variables, the state space of a timed automaton is infinite, and the untiming 
algorithm constructs a finite quotient of this space. This is used to prove that the set 
of untimed words consistent with the timing constraints of a timed automaton forms an 
w-regular set. It also leads to a PSPACE decision procedure for testing emptiness of the 
language of a timed automaton. We also show that the dual problem of testing whether 
a timed automaton accepts all timed words (i.e., the universality question) is undecidable 
(Ilj-hard) for nondeterministic automata. This also implies the undecidability of the 
language inclusion problem. However, both these problems can be solved in PSPACE for 
the deterministic versions. 

Finally, we show how to apply the theory of timed automata to prove correctness of 
finite-state real-time systems. We give a PSPACE verification algorithm to test whether 
a system modeled as a product of timed automata satisfies its specification given as a 
deterministic timed Muller automaton. 


Related work 


Different ways of incorporating timing constraints in the qualitative models of a system 
have been proposed recently, however, no attempt has been made to develop a theory 
of timed languages and no algorithms for checking real-time properties in the dense-time 
model have been developed. 

Perhaps the most standard way of introducing timing information in a process model 
is by associating lower and upper bounds with transitions. Examples of these include 
timed Petri nets [38], timed transition systems [35, 21], timed I/O automata [31], and 
Modecharts [25]. In a timed automaton, unlike these other models, a bound on the time 
taken to traverse a path in the automaton, not just the time interval between the successive 
transitions, can be directly expressed. Our model is based on an earlier model proposed 
by Dill that employs timers [13]. A model similar to Dill’s was independently proposed 
and studied by Lewis [30]. He defines state-diagrams, and gives a way of translating a 
circuit description to a state-diagram. A state-diagram is a finite-state machine where 
every edge is annotated with a matrix of intervals constraining various delays. Lewis also 
develops an algorithm for checking consistency of the timing information for a special 
class of state-diagrams; the ones for which there exists a constant K such that at most K 
transitions can happen in a time interval of unit length. Our untiming construction does 
not need the latter assumption, and has a better worst-case complexity. We note that the 
decidability and lower bound results presented here carry over to his formalism also. 

There have been a few attempts to extend temporal logics with quantitative time 
[6, 24, 26, 35, 17, 5, 20]. Most of these logics employ the discrete-time or the fictitious- 
clock semantics. In the case of the dense-time model the only previously known result is 
an undecidability result: in [5] it is shown that the satisfiability problem for a real-time 
extension of the linear-time temporal logic PTL is undecidable (“j-hard) in the dense-time 
model. 


BS 


Figure 1: Büchi automaton accepting (a + b)*a“ 


2 w-automata 


In this section we will briefly review the relevant aspects of the theory of w-regular lan- 
guages. 

The more familiar definition of a formal language is as a set of finite words over some 
given (finite) alphabet (see, for example, [23]). As opposed to this, an w-language consists 
of infinite words. Thus an w-language over a finite alphabet X is a subset of X” — the set 
of all infinite words over X. w-automata provide a finite representation for certain types 
of w-languages. An w-automaton is essentially the same as a nondeterministic finite-state 
automaton, but with the acceptance condition modified suitably so as to handle infinite 
input words. Various types of w-automata have been studied in the literature [7, 33, 9, 42]. 
We will mainly consider two types of w-automata: Buchi automata and Muller automata. 

A transition table A is a tuple (X, S, So, E), where È is an input alphabet, S is a finite 
set of automaton states, So € S is a set of start states, and ECS x S x X is a set of 
edges. The automaton starts in an initial state, and if (s,s’,a) € E then the automaton 
can change its state from s to s’ reading the input symbol a. 

For a word o = 902... over the alphabet Ÿ, we say that 


r: So > S] > S2 yee 


is a run of A over ©, provided sọ € So, and (s;-1, 8;,0;) € E for all ¿ > 1. For such a run, 
the set inf (r) consists of the states s € S such that s = s; for infinitely many i > 0. 

Different types of w-automata are defined by adding an acceptance condition to the 
definition of the transition tables. A Büchi automaton A is a transition table (£, S, So, E) 
with an additional set F C S of accepting states. A run r of A over a word g € X* is an 
accepting run iff inf(r) AF 4 Ÿ. In other words, a run r is accepting iff some state from 
the set F repeats infinitely often along r. The language L(A) accepted by A consists of 
the words o € X” such that A has an accepting run over ø. 


Example 2.1 Consider the 2-state automaton of Figure 1 over the alphabet {a,b}. The 
state sọ is the start state and sı is the accepting state. Every accepting run of the 
automaton has the form 


with o; € {a,b} for 1 < i < n for some n > 1. The automaton accepts all words with 
only a finite number of 6’s; that is, the language Lo = (a+ b)*a*. m 


Figure 2: Deterministic Muller automaton accepting (a + b)*a“ 


An w-language is called w-regular iff it is accepted by some Buchi automaton. Thus 
the language Lo of Example 2.1 is an w-regular language. 

The class of w-regular languages is closed under all the Boolean operations. Language 
intersection is implemented by a product construction for Büchi automata [9, 47]. There 
are known constructions for complementing Büchi automata [41, 40]. 

When Büchi automata are used for modeling finite-state concurrent processes, the 
verification problem reduces to that of language inclusion. The inclusion problem for 
w-regular languages is decidable. To test whether the language of one automaton is 
contained in the other, we check for emptiness of the intersection of the first automaton 
with the complement of the second. Testing for emptiness is easy; we only need to search 
for a cycle that is reachable from a start state and includes at least one accepting state. 
In general, complementing a Buchi automaton involves an exponential blow-up in the 
number of states, and the language inclusion problem is known to be PSPACE-complete 
[41]. However, checking whether the language of one automaton is contained in the 
language of a deterministic automaton can be done in polynomial time [27]. 

A transition table A = (X, S, So, E) is deterministic iff (i) there is a single start state, 
that is, Sol = 1, and (ii) the number of a-labeled edges starting at s is at most one 
for all states s € S and for all symbols a € X. Thus, for a deterministic transition 
table, the current state and the next input symbol determine the next state uniquely. 
Consequently, a deterministic automaton has at most one run over a given word. Unlike 
the automata on finite words, the class of languages accepted by deterministic Büchi 
automata is strictly smaller than the class of w-regular languages. For instance, there is 
no deterministic Buchi automaton which accepts the language Lo of Example 2.1. Muller 
automata (defined below) avoid this problem at the cost of a more powerful acceptance 
condition. 

A Muller automaton A is a transition table (©,$,50,E) with an acceptance family 
F C25. Arun r of A over a word o € X® is an accepting run iff inf(r) € F. That is, a 
run r is accepting iff the set of states repeating infinitely often along r equals some set in 
F. The language accepted by A is defined as in case of Büchi automata. 

The class of languages accepted by Muller automata is the same as that accepted by 
Buchi automata, and also equals that accepted by deterministic Muller automata. 


Example 2.2 The deterministic Muller automaton of Figure 2 accepts the language Lo 
consisting of all words over {a,b} with only a finite number of 6’s. The Muller acceptance 
family is {{s1}}. Thus every accepting run can visit the state so only finitely often. m 


Thus deterministic Muller automata form a strong candidate for representing w-regular 
languages: they are as expressive as their nondeterministic counterpart, and they can be 
complemented in polynomial time. Algorithms for constructing the intersection of two 
Muller automata and for checking language inclusion are known [10]. 


3 Timed automata 


In this section we define timed words by coupling a real-valued time with each symbol in 
a word. Then we augment the definition of w-automata so that they accept timed words, 
and use them to develop a theory of timed regular languages analogous to the theory of 
w-regular languages. 


3.1 Timed languages 


We define timed words so that a behavior of a real-time system corresponds to a timed 
word over the alphabet of events. As in the case of the dense-time model, the set of 
nonnegative real numbers, R, is chosen as the time domain. A word ø is coupled with a 
time sequence T as defined below: 


Definition 3.1 A time sequence T = 7,72--- is an infinite sequence of time values 7; € R 
with 7; > 0, satisfying the following constraints: 


1. Monotonicity: T increases strictly monotonically; that is, 7 < 7:41 for all ¿ > 1. 


2. Progress: For every t € R, there is some z > 1 such that 7; >t. 


A timed word over an alphabet © is a pair (o, T) where o = o102... is an infinite word 
over À and 7 is a time sequence. A timed language over X} is a set of timed words over X. 
a 


If a timed word (0,7) is viewed as an input to an automaton, it presents the symbol 
c; at time 7;. If each symbol c; is interpreted to denote an event occurrence then the 
corresponding component 7; is interpreted as the time of occurrence of o;. Under certain 
circumstances it may be appropriate to allow the same time value to be associated with 
many consecutive events in the sequence. To accommodate this possibility one could use 
a slightly different definition of timed words by requiring a time sequence to increase only 
monotonically (i.e., require 7; < 741 for all ¿ > 1). All our results continue to hold in this 


alternative model also. 
Let us consider some examples of timed languages. 


Example 3.2 Let the alphabet be {a,b}. Define a timed language Lı to consist of all 
timed words (0,7) such that there is no b after time 5.6. Thus the language LA is given 
by 
Lı = {(0,7) | Vi. ((% > 5.6) — (0; =a))}. 
Another example is the language Lo consisting of timed words in which a and 6 alter- 
nate, and for the successive pairs of a and b, the time difference between a and b keeps 
increasing. The language Lə is given as 


Ly = {((ab)°,7) | Ve. (rai — T2i-1) < (Teit2 — Tei41))f- m 


b, (x<2)? 
Figure 3: Example of a timed transition table 


The language-theoretic operations such as intersection, union, complementation are 
defined for timed languages as usual. In addition we define the Untime operation which 
discards the time values associated with the symbols, that is, it considers the projection 
of a timed trace (g, T) on the first component. 


Definition 3.3 For a timed language L over X, Untime(L) is the w-language consisting 
of o € XY” such that (o,r) € L for some time sequence 7. m 


For instance, referring to Example 3.2, Untime( Lı) is the w-language (a + b)*a”, and 
Untime( Lz) consists of a single word (ab)”. 


3.2 Transition tables with timing constraints 


Now we extend transition tables to timed transition tables so that they can read timed 
words. When an automaton makes a state-transition, the choice of the next state depends 
upon the input symbol read. In case of a timed transition table, we want this choice to 
depend also upon the time of the input symbol relative to the times of the previously 
read symbols. For this purpose, we associate a finite set of (real-valued) clocks with each 
transition table. A clock can be set to zero simultaneously with any transition. At any 
instant, the reading of a clock equals the time elapsed since the last time it was reset. 
With each transition we associate a clock constraint, and require that the transition may 
be taken only if the current values of the clocks satisfy this constraint. Before we define 
the timed transition tables formally, let us consider some examples. 


Example 3.4 Consider the timed transition table of Figure 3. The start state is sọ. 
There is a single clock x. An annotation of the form x := 0 on an edge corresponds to 
the action of resetting the clock x when the edge is traversed. Similarly an annotation of 
the form (x < 2) on an edge gives the clock constraint associated with the edge. 

The automaton starts in state sg, and moves to state sı reading the input symbol a. 
The clock x gets set to 0 along with this transition. While in state sı, the value of the 
clock x shows the time elapsed since the occurrence of the last a symbol. The transition 
from state sı to sọ is enabled only if this value is less than 2. The whole cycle repeats 
when the automaton moves back to state so. Thus the timing constraint expressed by 
this transition table is that the delay between a and the following 6 is always less than 2; 
more formally, the language is 


{((ab)%, 7) | Ve. (rai < Tia + 2)}. 


d, (y>2)? 


Figure 4: Timed transition table with 2 clocks 


Thus to constrain the delay between two transitions e; and ez, we require a particular 
clock to be reset on e1, and associate an appropriate clock constraint with ez. Note that 
clocks can be set asynchronously of each other. This means that different clocks can 
be restarted at different times, and there is no lower bound on the difference between 
their readings. Having multiple clocks allows multiple concurrent delays, as in the next 
example. 


Example 3.5 The timed transition table of Figure 4 uses two clocks x and y, and accepts 
the language 


La = {((abed)”, T) | VJ. ((Taj+3 < Tan +1) A (Taj+4 > Taj + 2))}- 


The automaton cycles among the states so, 81, s2 and s3. The clock x gets set to 
0 each time it moves from so to sı reading a. The check (x < 1)[ associated with the 
c-transition from s2 to s3 ensures that c happens within time 1 of the preceding a. A 
similar mechanism of resetting another independent clock y while reading 6 and checking 
its value while reading d, ensures that the delay between 6 and the following d is always 
greater than 2. m 


Notice that in the above example, to constrain the delay between a and € and between 
b and d the automaton does not put any explicit bounds on the time difference between 
a and the following b, or c and the following d. This is an important advantage of having 
multiple clocks which can be set independently of each other. The above language La is 
the intersection of the two languages Li and L2 defined as 


L {((abed)*, T) | YJ. (Taj+3 < Taj + DE 
Le = {((abed)®, T) | Yj. (Taj+a > Tajo + 2)}- 


Each of the languages Li and L2 can be expressed by an automaton which uses just one 
clock; however to express their intersection we need two clocks. 

We remark that the clocks of the automaton do not correspond to the local clocks 
of different components in a distributed system. All the clocks increase at the uniform 
rate counting time with respect to a fixed global time frame. They are fictitious clocks 
invented to express the timing properties of the system. Alternatively, we can consider 
the automaton to be equipped with a finite number of stop-watches which can be started 
and checked independently of one another, but all stop-watches refer to the same clock. 


3.3 Clock constraints and clock interpretations 


To define timed automata formally, we need to say what type of clock constraints are 
allowed on the edges. The simplest form of a constraint compares a clock value with a 
time constant. We allow only the Boolean combinations of such simple constraints. Any 
value from Q, the set of nonnegative rationals, can be used as a time constant. Later, in 
Section 5.5, we will show that allowing more complex constraints, such as those involving 
addition of clock values, leads to undecidability. 


Definition 3.6 For a set X of clock variables, the set ®(X) of clock constraints 6 is 
defined inductively by 
6:=a<cle<a| 76] 6, A ba, 


where x is a clock in X and c is a constant in Q. m 


Observe that constraints such as true, (x = c), x € [2,5) can be defined as abbrevia- 
tions. 

A clock interpretation v for a set X of clocks assigns a real value to each clock; that 
is, it is a mapping from X to R. We say that a clock interpretation v for X satisfies a 
clock constraint 6 over X iff 6 evaluates to true using the values given by v. 

For t € R, v +t denotes the clock interpretation which maps every clock x to the value 
v(x) +t, and the clock interpretation t-v assigns to each clock x the value t-v(x). For 
Y CX, [Y => {]r denotes the clock interpretation for X which assigns { to each x € Y, 
and agrees with v over the rest of the clocks. 


3.4 Timed transition tables 
Now we give the precise definition of timed transition tables. 


Definition 3.7 A timed transition table A is a tuple (X, S, So, C, E), where 


e ` is a finite alphabet, 

e 5 is a finite set of states, 

e S CS is a set of start states, 

e C is a finite set of clocks, and 

e ECSXSXE x 2° x ð(C) gives the set of transitions. An edge (s, s’,a, À, 6) 
represents a transition from state s to state s’ on input symbol a. The set 
À € C gives the clocks to be reset with this transition, and 6 is a clock 
constraint over C. 


Given a timed word (0,7), the timed transition table A starts in one of its start states 
at time 0 with all its clocks initialized to 0. As time advances, the values of all clocks 
change, reflecting the elapsed time. At time 7;, A changes state from s to s’ using some 
transition of the form (s,s’,0;,A,6) reading the input o;, if the current values of clocks 
satisfy 6. With this transition the clocks in À are reset to 0, and thus start counting time 
with respect to the time of occurrence of this transition. This behavior is captured by 
defining runs of timed transition tables. A run records the state and the values of all the 
clocks at the transition points. For a time sequence T = 77... we define To = 0. 


Definition 3.8 A run r, denoted by (3,7), of a timed transition table (X, S, So, C, E) over 
a timed word (0,7) is an infinite sequence of the form 


r: (So, Yo) <> (51,71) = (82, V2) <> 


with s; € S and v; € [C — R], for all ¿ > 0, satisfying the following requirements: 
e Initiation: 89 € So, and vo(x) = 0 for all x € C. 


e Consecution: for all à > 1, there is an edge in E of the form (s;-1, Si, Ci, A;, 6;) such 
that (v;-1 + Ti — Ti-1) satisfies 6; and v; equals [Aj > 0](v;-1 + Ti — Ti-1). 


The set inf(r) consists of those states s € S such that s = s; for infinitely many à > 0. m 


Example 3.9 Consider the timed transition table of Example 3.5. Consider a timed 
word 


(a,2) — (b,2.7) — (c,2.8) — (d,5) — -.. 


Below we give the initial segment of the run. A clock interpretation is represented by 
listing the values |z, y]. 


(so, [0, 0}) + (s1,[0,2]) <= (s2, [0.7, 0]) > (ss, [0.8,0.1]) + (so; [3,2:3]) + 


Along a run r = (3,7) over (0,7), the values of the clocks at time t between 7; and 
Tiq1 are given by the interpretation (v;+t—7;). When the transition from state s; to 5;41 
occurs, we use the value (v; + T;41 — Ti) to check the clock constraint; however, at time 
Ti41, the value of a clock that gets reset is defined to be 0. 

Note that a transition table A = (X, S, So, E) can be considered to be a timed transition 
table A’. We choose the set of clocks to be the empty set, and replace every edge (s, s’, a) 
by (s, s',a, 0, true). The runs of A’ are in an obvious correspondence with the runs of A. 


3.5 Timed regular languages 


We can couple acceptance criteria with timed transition tables, and use them to define 
timed languages. 


Definition 3.10 A timed Büchi automaton (in short TBA) is a tuple (£, S, So, C, E, F), 
where (X, S, So, C, E) is a timed transition table, and F CS is a set of accepting states. 
A run r = (3,7) of a TBA over a timed word (0,7) is called an accepting run iff 
inf(r) NF £ 0. 
For a TBA A, the language L(A) of timed words it accepts is defined to be the set 
{(o,7) | A has an accepting run over (o,T)}. m 


In analogy with the class of languages accepted by Buchi automata, we call the class 
of timed languages accepted by TBAs timed regular languages. 
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b, (x<2) ? 


Figure 5: Timed Buchi automaton accepting Lert 


Definition 3.11 A timed language L is a timed regular language iff L = L(A) for some 
TBA A. m 


Example 3.12 The language L3 of Example 3.5 is a timed regular language. The timed 
transition table of Figure 4 is coupled with the acceptance set consisting of all the states. 
For every w-regular language L over X, the timed language {(o,7) |o € L} is regular. 
A typical example of a nonregular timed language is the language Lz of Example 3.2. It 
requires that the time difference between the successive pairs of a and 6 form an increasing 
sequence. 
Another nonregular language is {(a”,7) | V2. (r; = 2')}. m 


The automaton of Example 3.13 combines the Buchi acceptance condition with the 
timing constraints to specify an interesting convergent response property: 


Example 3.13 The automaton of Figure 5 accepts the timed language Lat over the 
alphabet {a,b}. 


Lew = {((ab)*,7) | IVJ 2 à (Taj < Te) +2)} 


The start state is so, the accepting state is s2, and there is a single clock x. The 
automaton starts in state so, and cycles between the states so and sı for a while. Then, 
nondeterministically, it moves to state s2 setting its clock x to 0. While in the cycle 
between the states s and s3, the automaton resets its clock while reading a, and ensures 
that the next bis within 2 time units. Interpreting the symbol b as a response to a request 
denoted by the symbol a, the automaton models a system with a convergent response time; 
the response time is “eventually” always less than 2 time units. m 


The next example shows that timed automata can specify periodic behavior also. 


Example 3.14 The automaton of Figure 6 accepts the following language over the al- 


phabet {a,b}. 


{fo T) | Vi. 3j. (T; = 3i A c; =a)} 


The automaton has a single state sg, and a single clock x. The clock gets reset at 
regular intervals of period 3 time units. The automaton requires that whenever the clock 
equals 3 there is an a symbol. Thus it expresses the property that a happens at all time 
values that are multiples of 3. m 
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a,b, (x<3) ? 


a, (x=3)?,x:=0 


Figure 6: Timed automaton specifying periodic behavior 


3.6 Properties of timed regular languages 


The next theorem considers some closure properties of timed regular languages. 


Theorem 3.15 The class of timed regular languages is closed under (finite) union and 
intersection. 

PROOF. Consider TBAs A; = (X, Si, So, Ci, Ei, Fi), à = 1,2,...n. Assume without 
loss of generality that the clock sets C; are disjoint. We construct TBAs accepting the 
union and intersection of L(A;). 

Since TBAs are nondeterministic the case of union is easy. The required TBA is simply 
the disjoint union of all the automata. 

Intersection can be implemented by a trivial modification of the standard product 
construction for Büchi automata [9]. The set of clocks for the product automaton A is 
U;C;. The states of A are of the form (51,...5,,k), where each s; € S;, and 1 < k <n. The 
i-th component of the tuple keeps track of the state of A;, and the last component is used 
as a counter for cycling through the accepting conditions of all the individual automata. 
Initially the counter value is 1, and it is incremented from k to (k + 1) (modulo n) iff the 
current state of the k-th automaton is an accepting state. Note that we choose the value 
ofn mod n to ben. 

The initial states of A are of the form (s1,...Sn,1)} where each s; is a start state of 
A;. A transition of A is obtained by coupling the transitions of the individual automata 
having the same label. Let {(s;,5/, a, À;,6;) € E; | i = 1,...n} be a set of transitions, one 
per each automaton, with the same label a. Corresponding to this set, there is a joint 
transition of À out of each state of the form (s1,...5,,k) labeled with a. The new state 
is (54,...5),7) with J = (k +1) mod n if sx € Fp, and j = k otherwise. The set of clocks 
to be reset with this transition is U;À;, and the associated clock constraint is A;6;. 

The counter value cycles through the whole range 1,...n infinitely often iff the ac- 
cepting conditions of all the automata are met. Consequently, we define the accepting set 
for A to consist of states of the form (s1,...s,,n), where s, € Fn. m 


In the above product construction, the number of states of the resulting automaton 
is n-II,|S;|. The number of clocks is U;|C;|, and the size of the edge set is n-H,;|E,|. Note 
that |E] includes the length of the clock constraints assuming binary encoding for the 
constants. 
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0 a,x:=0 & b 
(so) (x=1) ? y:=0 =) 


b, (y<1)?,y:=0 


Figure 7: Timed automaton accepting Leonverge 


Observe that even for the timed regular languages arbitrarily many symbols can occur 
in a finite interval of time. Furthermore, the symbols can be arbitrarily close to each 
other. Consider the following example. 


Example 3.16 The language accepted by the automaton in Figure 7 is 
Lronieiye = {((ab)*, T) | Vi. (Tai =i ^ (Tai a oea e Toi41))}. 


Every word accepted by this automaton has the property that the sequence of time 
differences between a and the following b is strictly decreasing. A sample word accepted 
by the automaton is 


(a,1) — (b,1.5) — (a,2) — (6,2.25) — (a,3) > (b,3.125) > --- 


This example illustrates that the model of reals is indeed different from the discrete- 
time model. If we require all the time values 7; to be multiples of some fixed constant €, 
however small, the language accepted by the automaton of Figure 7 will be empty. 

On the other hand, timed automata do not distinguish between the set of reals R and 
the set of rationals Q. Only the denseness of the underlying domain plays a crucial role. 
In particular, Theorem 3.17 shows that if we require all the time values in time sequences 
to be rational numbers, the untimed language Untime[L(A)] of a timed automaton A 
stays unchanged. 


Theorem 3.17 Let L be a timed regular language. For every word o, o € Untime(L) iff 
there exists a time sequence 7 such that 7; € Q for all ¿ > 1, and (0,7) € L. 


PROOF. Consider a timed automaton A, and a word o. If there exists a time sequence 
T with all rational time values such that (0,7) € L(A), then clearly, o € Untime[L(A)]. 

Now suppose for an arbitrary time sequence 7, (a, T) € L(A). Let e € Q be such that 
every constant appearing in the clock constraints of A is an integral multiple of e. Let 
To = 0, and mo = 0. If 7; = 7; +ne for some 0 < j < i and n € N, then choose 7; = T; + ne. 
Otherwise choose 7/ € Q such that for all 0 < j < 2, for all n € N, (7/ — ri) < ne iff 
(Ti — Tj) < ne. Note that because of the denseness of Q such a choice of 7! is always 
possible. 

Consider an accepting run r = (3,7) of A over (0,7). Because of the construction of 
tT’, if a clock x is reset at the 2-th transition point, then its possible values at the j-th 
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a, (x<5) ? | a, (x<2)? 


Figure 8: Timed Muller automaton 


transition point along the two time sequences, namely, (T; — 7;) and (7; — 7), satisfy the 
same set of clock constraints. Consequently it is possible to construct an accepting run 
r = (5,7!) over (a, T’) which follows the same sequence of edges as r. In particular, choose 
v = vo, and if the i-th transition along r is according to the edge (s;—1, Si, Ci, Ai, Ĝi), then 
set vi = [\;  O]({_, +7! — T/_,). Consequently, A accepts (o,7’). m 


3.7 Timed Muller automata 


We can define timed automata with Muller acceptance conditions also. 


Definition 3.18 A timed Muller automaton (TMA) is a tuple (£, S, So, C, E, F}, where 
(X, S, So, C, E) is a timed transition table, and F € 2° specifies an acceptance family. 

A run r = (3,7) of the automaton over a timed word (0,7) is an accepting run iff 
inf (r) € F. 

For a TMA A, the language L(A) of timed words it accepts is defined to be the set 
{(o,7) | A has an accepting run over (o, T)}. m 


Example 3.19 Consider the automaton of Figure 8 over the alphabet {a,b,c}. The 
start state is so, and the Muller acceptance family consists of a single set {59,82}. So any 
accepting run should cycle between states so and sı only finitely many times, and between 
states so and s infinitely many times. Every word (0,7) accepted by the automaton 
satisfies: (1) o € (a(b+c))*(ac)”, and (2) for all ¿ > 1, the difference (72;-1 — T2;-2) is less 
than 2 if the (2i)-th symbol is €, and less than 5 otherwise. m 


Recall that untimed Buchi automata and Muller automata have the same expressive 
power. The following theorem states that the same holds true for TBAs and TMAs. Thus 
the class of timed languages accepted by TMAs is the same as the class of timed regular 
languages. The proof of the following theorem closely follows the standard argument that 
an w-regular language is accepted by a Buchi automaton iff it is accepted by some Muller 
automaton. 


Theorem 3.20 A timed language is accepted by some timed Butchi automaton iff it is 
accepted by some timed Muller automaton. 

PROOF. Let A = (X, S, So, C, E, F) be a TBA. Consider the TMA A’ with the same 
timed transition table as that of A, and with the acceptance family F = {9 C S : SAF Æ 
Ø}. It is easy to check that L(A) = L(A’). This proves the “only if” part of the claim. 
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In the other direction, given a TMA, we can construct a TBA accepting the same 
language using the simulation of Muller acceptance condition by Buchi automata. Let 
A be a TMA given as (4,5,50,C,E,). First note that L(A) = Up. ¢l(Ar) where 
Ap = (%,5,50,C,E,{F}), so it suffices to construct, for each acceptance set F, a TBA 
Aj, which accepts the language L(Ar). Assume F = {s1,... sp}. The automaton Ap 
uses nondeterminism to guess when the set F is entered forever, and then uses a counter 
to make sure that every state in F is visited infinitely often. States of Ap are of the 
form (s, i), where s € S and à € {0,1,...k}. The set of initial states is So x {0}. The 
automaton simulates the transitions of A, and at some point nondeterministically sets 
the second component to 1. For every transition (s,s’,a,,6) of A, the automaton Ap 
has a transition ((s,0), (s’,0),a,A,6), and, in addition, if s’ € F it also has a transition 
((5,0), (3’, 1), a, A, 6). 

While the second component is nonzero, the automaton is required to stay within the 
set F. For every A-transition (s,s’,a,A,6) with both s and s’ in F, for each 1 <i < k, 
there is an Aj-transition ((s,2), (s’,7),a,A,6) where j = (¢+1) mod k, if s equals s;, else 
j =i. The only accepting state is (są, k). m 


4 Checking emptiness 


In this section we develop an algorithm for checking the emptiness of the language of a 
timed automaton. The existence of an infinite accepting path in the underlying transition 
table is clearly a necessary condition for the language of an automaton to be nonempty. 
However, the timing constraints of the automaton rule out certain additional behaviors. 
We will show that a Buchi automaton can be constructed that accepts exactly the set of 
untimed words that are consistent with the timed words accepted by a timed automaton. 


4.1 Restriction to integer constants 


Recall that our definition of timed automata allows clock constraints which involve com- 
parisons with rational constants. The following lemma shows that, for checking emptiness, 
we can restrict ourselves to timed automata whose clock constraints involve only integer 
constants. For a timed sequence 7 and t € Q, let t-r denote the timed sequence obtained 
by multiplying all 7; by ¢. 


Lemma 4.1 Consider a timed transition table A, a timed word (0,7), and t € Q. (3,7) 
is a run of A over (0,7) iff (3,t-7) is a run of A; over (o,t-7), where A; is the timed 
transition table obtained by replacing each constant d in each clock constraint labeling 


the edges of A by t-d. 


PROOF. The lemma can be proved easily from the definitions using induction. m 


Thus there is an isomorphism between the runs of A and the runs of A;. If we choose 
t to be the least common multiple of denominators of all the constants appearing in the 
clock constraints of A, then the clock constraints for A; use only integer constants. In this 
translation, the values of the individual constants grow at most with the product of the 
denominators of all the original constants. We assume binary encoding for the constants. 
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Let us denote the length of the clock constraints of A by |6(A)|. It is easy to prove that 
16(.4:)| is bounded by |6(.A)|?. Observe that this result depends crucially on the fact that 
we encode constants in binary notation; if we use unary encoding then |6(A;)| can be 
exponential in |6(.4)|. 

Observe that L(A) is empty iff L[A4;] is empty. Hence, to decide the emptiness of 
L(A) we consider A;. Also Untime[L(A)] equals Untime[L(A,;)]. In the remainder of the 


section we assume that the clock constraints use only integer constants. 


4.2 Clock regions 


At every point in time the future behavior of a timed transition table is determined by 
its state and the values of all its clocks. This motivates the following definition: 


Definition 4.2 For a timed transition table (©,5,59,C,E), an extended state is a pair 
(s,v) where s € S and v is a clock interpretation for C. m 


Since the number of such extended states is infinite (in fact, uncountable), we cannot 
possibly build an automaton whose states are the extended states of A. But if two 
extended states with the same A-state agree on the integral parts of all clock values, and 
also on the ordering of the fractional parts of all clock values, then the runs starting from 
the two extended states are very similar. The integral parts of the clock values are needed 
to determine whether or not a particular clock constraint is met, whereas the ordering of 
the fractional parts is needed to decide which clock will change its integral part first. For 
example, if two clocks x and y are between 0 and 1 in an extended state, then a transition 
with clock constraint (x = 1) can be followed by a transition with clock constraint (y = 1), 
depending on whether or not the current clock values satisfy (x < y). 

The integral parts of clock values can get arbitrarily large. But if a clock x is never 
compared with a constant greater than c, then its actual value, once it exceeds c, is of no 
consequence in deciding the allowed paths. 

Now we formalize this notion. For any t € R, fract(t) denotes the fractional part of t, 
and |t| denotes the integral part of t; that is, { = |t| + fract(t). We assume that every 
clock in C appears in some clock constraint. 


Definition 4.3 Let A = (X, S, So, C, E) be a timed transition table. For each x € C, let 
c be the largest integer c such that (x < €) or (e < x) is a subformula of some clock 
constraint appearing in E. 

The equivalence relation ~ is defined over the set of all clock interpretations for C; 
v~ iff all the following conditions hold: 


1. For all x € C, either |v(x)| and |v’(x)] are the same, or both v(x) and v’(x) are 
greater than cz. 


2. For all z,y € C with v(x) < c, and v(y) < cy, fract(v(x)) < fract(v(y)) iff 
fract(v'(x)) < fract(v'(y)). 


3. For all x € C with v(x) < cs, fract(v(x)) = 0 iff fract(v'(x)) = 0. 


A clock region for À is an equivalence class of clock interpretations induced by ~. m 
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6 Corner points: e.g. [(0,1)] 
1 14 Open line segments: e.g. [0 < x = y < 1] 
8 Open regions: e.g. [0 < x <y <1] 


Figure 9: Clock regions 


We will use [y] to denote the clock region to which v belongs. Each region can be 
uniquely characterized by a (finite) set of clock constraints it satisfies. For example, 
consider a clock interpretation v over two clocks with v(x) = 0.3 and v(y) = 0.7. Every 
clock interpretation in [v] satisfies the constraint (0 < x < y < 1), and we will represent 
this region by [0 < x < y < 1]. The nature of the equivalence classes can be best 
understood through an example. 


Example 4.4 Consider a timed transition table with two clocks x and y with c, = 2 and 
cy = 1. The clock regions are shown in Figure 9. m 


Note that there are only a finite number of regions. Also note that for a clock constraint 
6 of A, if v~r” then v satisfies 6 iff v’ satisfies 6. We say that a clock region a satisfies a 
clock constraint 6 iff every v € a satisfies 6. Each region can be represented by specifying 


(1) for every clock x, one clock constraint from the set 
{v=clc=0,1,...c-;U{e-l<a<cle=l,...cq}U{e> ce}, 


(2) for every pair of clocks x and y such that c— 1 < x < ec and d—1 < y <d 
appear in (1) for some c,d, whether fract(x) is less than, equal to, or 
greater than fract(y). 


By counting the number of possible combinations of equations of the above form, we get 
the upper bound in the following lemma. 


Lemma 4.5 The number of clock regions is bounded by [|C|!-2!°!-Iec(2cz + 2)]. m 


Remember that |6(A)| stands for the length of the clock constraints of A assuming 
binary encoding, and hence the product ILec(2c; + 2) is o2(Alty, Since the number 
of clocks |C] is bounded by [6(4)|, henceforth, we assume that the number of regions is 
ORAN, Note that if we increase 6(A) without increasing the number of clocks or the 
size of the largest constants the clocks are compared with, then the number of regions 
does not grow with |6(A)|. Also observe that a region can be represented in space linear 


in |6(A)]. 
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4.3 The region automaton 


The first step in the decision procedure for checking emptiness is to construct a transition 
table whose paths mimic the runs of A in a certain way. We will denote the desired 
transition table by R(A), the region automaton of A. A state of R( A) records the state 
of the timed transition table A, and the equivalence class of the current values of the 
clocks. It is of the form (s,a) with s € S and a being a clock region. The intended 
interpretation is that whenever the extended state of A is (s,v), the state of R(A) is 
(s,[v]). The region automaton starts in some state (so, [vo]) where so is a start state of A, 
and the clock interpretation vo assigns 0 to every clock. The transition relation of R(A) 
is defined so that the intended simulation is obeyed. It has an edge from (s, a) to (s’, a’) 
labeled with a iff A in state s with the clock values v € à can make a transition on a to 
the extended state (s’,v’) for some v’ € a’. 

The edge relation can be conveniently defined using a time-successor relation over the 
clock regions. The time-successors of a clock region a are all the clock regions that will 
be visited by a clock interpretation v € a as time progresses. 


Definition 4.6 A clock region a’ is a time-successor of a clock region a iff for each v € a, 
there exists a positive t € R such that v +t € a’. m 


Example 4.7 Consider the clock regions shown in Figure 9 again. The time-successors 
of a region a are the regions that can be reached by moving along a line drawn from some 
point in a in the diagonally upwards direction (parallel to the line x = y). For example, 
the region [(1 < x < 2),(0 < y < x — 1)] has, other than itself, the following regions as 
time-successors: [(x = 2),(0 < y < 1)], [(x > 2),(0 < y < 1), [(x > 2), (y = 1)] and 
(z > 2),(y>1)]. m 


Now let us see how to construct all the time-successors of a clock region. Recall that a 
clock region a is specified by giving (1) for every clock x, a constraint of the form (x = c) 
or (c—1 <x<c)or (x > cz), and (2) for every pair x and y such that (c—1 < x < €) and 
(d—1 <y < d) appear in (1), the ordering relationship between fract(x) and fract(y). 
To compute all the time-successors of œ we proceed as follows. First observe that the 
time-successor relation is a transitive relation. We consider different cases. 

First suppose that a satisfies the constraint (x > c,) for every clock x. The only 
time-successor of a is itself. This is the case for the region [(x > 2), (y > 1)] in Figure 9. 

Now suppose that the set Co consisting of clocks + such that a satisfies the constraint 
(x = c) for some € < cz, is nonempty. In this case, as time progresses the fractional 
parts of the clocks in Co become nonzero, and the clock region changes immediately. The 
time-successors of œa are same as the time-successors of the clock region 5 specified as 
below: 


(1) For x € Co, if a satisfies (x = c,) then £ satisfies (x > c,), otherwise if a 
satisfies (x = c) then £8 satisfies (c < x < c+1). For x & Co, the constraint 
in § is the same as that in a. 

(2) For clocks x and y such that x < c, and y < c holds in a, the ordering 
relationship in 8 between their fractional parts is the same as in a. 


18 


For instance, in Figure 9, the time-successors of [(x = 0),(0 < y < 1)] are same as the 
time-successors of [0 < x < y < 1]. 

If both the above cases do not apply, then let Co be the set of clocks x for which a 
does not satisfy (x > cs) and which have the maximal fractional part; that is, for all 
clocks y for which a does not satisfy (y > cy), fract(y) < fract(x) is a constraint of a. In 
this case, as time progresses, the clocks in Co assume integer values. Let 5 be the clock 
region specified by 


(1) For x € Co, if a satisfies (c — 1 < x < c) then 8 satisfies (x = c). For 
x ¢ Co, the constraint in 8 is same as that in a. 

(2) For clocks x and y such that (ec —1 < x < c) and (d— 1 < y < d) appear 
in (1), the ordering relationship in 3 between their fractional parts is same 
as in a. 


In this case, the time-successors of a include a, 3, and all the time-successors of 3. For 
instance, in Figure 9, time-successors of [0 < x < y < 1] include itself, [(0 < x < 1), (y= 
1)], and all the time-successors of [(0 < x < 1), (y = 1)]. 

Now we are ready to define the region automaton. 


Definition 4.8 For a timed transition table A = (£, S, So, C, E), the corresponding re- 
gion automaton R(A) is a transition table over the alphabet X. 


e The states of R(A) are of the form (s,a) where s € S and a is a clock region. 
e The initial states are of the form (so, [vo]) where so € So and #(x) = 0 for all x € C. 


e R(A) has an edge ((s, a), (s’, a’), a) iff there is an edge (s, s’,a, 4,6) € E and a region 
a” such that (1) a” is a time-successor of a, (2) a” satisfies 6, and (3) a’ = [A + 0]a”. 


Example 4.9 Consider the timed automaton Ag shown in Figure 10. The alphabet 
is {a,b,c,d}. Every state of the automaton is an accepting state. The corresponding 
region automaton R(Apo) is also shown. Only the regions reachable from the initial region 
(so, [£ = y = 0]) are shown. Note that c, = 1 and c, = 1. The timing constraints of the 
automaton ensure that the transition from s2 to s3 is never taken. The only reachable 
region with state component sz satisfies the constraints [y = 1,x > 1], and this region has 
no outgoing edges. Thus the region automaton helps us in concluding that no transitions 
can follow a b-transition. m 


From the bound on the number of regions, it follows that the number of states in R(A) 
is O[|S|-2!Aly, An inspection of the definition of the time-successor relation shows that 
every region has at most “,ec[2c, + 2] successor regions. The region automaton has at 
most one edge out of (s, a) for every edge out of s and every time-successor of a. It follows 
that the number of edges in R(A) is OJEE, Note that computing the time-successor 
relation is easy, and can be done in time linear in the length of the representation of the 
region. Constructing the edge relation for the region automaton is also relatively easy; in 
addition to computing the time-successors, we also need to determine whether the clock 
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Figure 10: Automaton Ao and its region automaton 


constraint labeling a particular A-transition is satisfied by a clock region. The region 
graph can be constructed in time O[(|S] + ED 2181, 


Now we proceed to establish a correspondence between the runs of A and the runs of 


R(A). 
Definition 4.10 For a run r = (3,7) of A of the form 

ro: (so, Lo) = (81,1) Eu (52, V2) = 
define its projection [r] = (3, [7]) to be the sequence 


Ir] : lso [oh > ts hah > tsan [p == 
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From the definition of the edge relation for R(A), it follows that [r] is a run of R(A) 
over g. Since time progresses without bound along r, every clock x € C is either reset 
infinitely often, or from a certain time onwards it increases without bound. Hence, for 
all x € C, for infinitely many 7 > 0, [v;] satisfies [(x = 0) V (x > ¢,)]. This prompts the 
following definition: 


Definition 4.11 A run r = (3,q@) of the region automaton R(A) of the form 


r : (89, Q0) 1, (51, 1) 72; (52, Q2) Z, ... 
is progressive iff for each clock x € C, there are infinitely many 2 > 0 such that a; satisfies 
[(x = 0) V(x>c)]. m 


Thus for a run r of A over (0,7), [r] is a progressive run of R( A) over o. The following 
Lemma 4.13 implies that progressive runs of R(A) precisely correspond to the projected 
runs of A. Before we prove the lemma let us consider the region automaton of Example 4.9 
again. 


Example 4.12 Consider the region automaton R(Ao) of Figure 10. Every run r of 
R(Apo) has a suffix of one of the following three forms: (i) the automaton cycles between 
the regions (51,[y =0 < x < 1]) and (s3,[0 < y < x < 1]), (ii) the automaton stays in the 
region (53, [0 < y < 1 < x]) using the self-loop, or (iii) the automaton stays in the region 
(s3, [a > 1,y > 1]). 

Only the case (iii) corresponds to the progressive runs. For runs of type (i), even 
though y gets reset infinitely often, the value of x is always less than 1. For runs of type 
(ii), even though the value of x is not bounded, the clock y is reset only finitely often, 
and yet, its value is bounded. Thus every progressive run of Ag corresponds to a run of 


R( Ao) of type (iii). m 


Lemma 4.13 If r is a progressive run of R(A) over o then there exists a time sequence 
T and à run r’ of A over (0,7) such that r equals [r’]. 


PROOF. Consider a progressive run r = (3,@) of R(A) over o. We construct the run 
r’ and the time sequence 7 step by step. As usual, r’ starts with (50,70). Now suppose 
that the extended state of A is (s;,v;) at time 7; with v; € a;. There is an edge in R(A) 
from (s;, a) to (8:41, Q:41) labeled with 0:41. From the definition of the region automaton 
it follows that there is an edge (sj, 8:41, 0:41, Ai41, 6541) € E and a time-successor a, of 
a; such that al}; satisfies 6:4; and aj41 = [Ai + Olai,,. From the definition of time- 
successor, there exists a time 7;41 such that (r; + Ti41 — Ti) € ayı- Now it is clear the 
next transition of A can be at time 7:41 to an extended state (8:41, vi41) with viy € ay. 


Using this construction repeatedly we get a run r’ = (3,7) over (o, T) with [r] = r. 

The only problem with the above construction is that 7 may not satisfy the progress 
condition. Suppose that 7 is a converging sequence. We use the fact that r is a progressive 
run to construct another time sequence 7’ satisfying the progress requirement and show 
that the automaton can follow the same sequence of transitions as r’ but at times 7”. 

Let Co be the set of clocks reset infinitely often along r. Since 7 is a converging 
sequence, after a certain position onwards, every clock in Co gets reset before it reaches 
the value 1. Since r is progressive, every clock x not in Co, after a certain position 
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onwards, never gets reset, and continuously satisfies x > cs. This ensures that there 
exists j > 0 such that (1) after the j-th transition point each clock z ¢ Co continuously 
satisfies (x > cz), and each clock x € Co continuously satisfies (x < 1), and (2) for each 
k > 9, (Tk —7;) is less than 0.5. 

Let 7 < ky < k2,... be an infinite sequence of integers such that each clock x in Co 
is reset at least once between the k;-th and k;,1-th transition points along r. Now we 
construct another sequence r” = (3,7) with the sequence of transition times 7’ as follows. 
The sequence of transitions along r” is same as that along r’. If 7 & {k1,k2...} then 
we require the (à + 1)-th transition to happen after a delay of (7:41 — Ti), otherwise we 
require the delay to be 0.5. Observe that along r” the delay between the k;-th and k;,1-th 
transition points is less than 1. Consequently, in spite of the additional delays, the value 
of every clock in Co remains less than 1 after the j-th transition point. So the truth of 
all the clock constraints and the clock regions at the transition points remain unchanged 
(as compared to r’). From this we conclude that r” satisfies the consecution requirement, 
and is a run of A. Furthermore, [r”] = [r] = r. 

Since 7’ has infinitely many jumps each of duration 0.5, it satisfies the progress re- 
quirement. Hence r” is the run required by the lemma. m 


4.4 The untiming construction 


For a timed automaton A, its region automaton can be used to recognize Untime[L(A)]. 


The following theorem is stated for TBAs, but it also holds for TMAs. 


Theorem 4.14 Given a TBA A = (%,5,So,C,E,F), there exists a Büchi automaton 
over © which accepts Untime[L(A)]. 


PROOF. We construct a Biichi automaton A’ as follows. Its transition table is R(A), 
the region automaton corresponding to the timed transition table (©,5,59,C,E). The 
accepting set of A’ is F' = {(s,a) |s E€ F}. 

If r is an accepting run of A over (0,7), then fr] is a progressive and accepting run of 
A’ over o. The converse follows from Lemma 4.13. Given a progressive run r of A’ over 
c, the lemma gives a time sequence 7 and a run r’ of A over (o,7) such that r equals [r’]. 
If r is an accepting run, so is r’. It follows that o € Untime[L(A)] iff A’ has a progressive, 
accepting run over it. 

For x € C, let F, = {(s,a) | a H [(x = 0) V (z > c,)]}. Recall that a run of A’ is 
progressive iff some state from each F, repeats infinitely often. It is straightforward to 
construct another Biichi automaton A” such that A’ has a progressive and accepting run 
over o iff A” has an accepting run over o. 

The automaton A” is the desired automaton; L(A”) equals Untime[L(A)]. m 


Example 4.15 Let us consider the region automaton R(Ao) of Example 4.9 again. Since 
all states of Ap are accepting, from the description of the progressive runs in Example 4.12 
it follows that the transition table R(Ao) can be changed to a Biichi automaton by choos- 
ing the accepting set to consist of a single region (s3,[¢ > 1,y > 1]). Consequently 


Untime[L(Ao)] = L[R(Ao)] = ac(ac)* d”. 
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Theorem 4.14 says that the timing information in a timed automaton is “regular” 
in character; its consistency can be checked by a finite-state automaton. An equivalent 
formulation of the theorem is 


If a timed language L is timed regular then Untime(L) is w-regular. 


Furthermore, to check whether the language of a given TBA is empty, we can check 
for the emptiness of the language of the corresponding Buchi automaton constructed by 
the proof of Theorem 4.14. The next theorem follows. 


Theorem 4.16 Given a timed Büchi automaton A = (X, S, So, ©, E, F} the emptiness of 
L(A) can be checked in time O[(|5] + JE} 2181, 

PROOF. Let A’ be the Büchi automaton constructed as outlined in the proof of The- 
orem 4.14. Recall that in Section 4.3 we had shown that the number of states in A’ is 
O[|S|-2!6AdI], the number of edges is O[IEL-28 AN. 

The language L(A) is nonempty iff there is a cycle C in A’ such that C is accessible 
from some start state of A’ and C contains at least one state each from the set F’ and each 
of the sets F,. This can be checked in time linear in the size of A’ [41]. The complexity 
bound of the theorem follows. m 


Recall that if we start with an automaton A whose clock constraints involve rational 
constants, we need to apply the above decision procedure on A; for the least common 
denominator t of all the rational constants (see Section 4.1). This involves a blow-up in 
the size of the clock constraints; we have 6[.A,] = O[é(A)’]. 

The above method can be used even if we change the acceptance condition for timed 
automata. In particular, given a timed Muller automaton A we can effectively construct 
a Muller (or, Büchi) automaton which accepts Untime[L(A)], and use it to check for the 
emptiness of L(A). 


4.5 Complexity of checking emptiness 


The complexity of the algorithm for deciding emptiness of a TBA is exponential in the 
number of clocks and the length of the constants in the timing constraints. This blow-up 
in complexity seems unavoidable; we reduce the acceptance problem for linear bounded 
automata, a known PSPACE-complete problem [23], to the emptiness question for TBAs 
to prove the PSPACE lower bound for the emptiness problem. We also show the problem 
to be PSPACE-complete by arguing that the algorithm of Section 4.4 can be implemented 
in polynomial space. 


Theorem 4.17 The problem of deciding the emptiness of the language of a given timed 
automaton A, is PSPACE-complete. 

PROOF. [PSPACE-membership] Since the number of states of the region automaton 
is exponential in the number of clocks of A, we cannot construct the entire transition 
table. But it is possible to (nondeterministically) check for nonemptiness of the region 
automaton by guessing a path of the desired form using only polynomial space. This is a 
fairly standard trick, and hence we omit the details. 
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[PSPACE-hardness] The question of deciding whether a given linear bounded automa- 
ton accepts a given input string is PSPACE-complete [23]. A linear bounded automaton 
M is a nondeterministic Turing machine whose tape head cannot go beyond the end of 
the input markers. We construct a TBA A such that its language is nonempty iff the 
machine M halts on a given input. 

Let I be the tape alphabet of M and let Q be its states. Let © =T U (T x Q), and 
let a1, d2,...a, denote the elements of X. A configuration of M in which the tape reads 
192 +», and the machine is in state q reading the z-th tape symbol, is represented by 
the string o1,...0, over © such that o; = +; if j #2 and o; = (yiq). 

The acceptance corresponds to a special state qs; after which the configuration stays 
unchanged. The alphabet of A includes ©, and in addition, has a symbol ag. A compu- 
tation of M is encoded by the word 


alag. . Tago; do - . o? 


j J 
ndo-..0140...0,40... 


such that of... a! encodes the j-th configuration according to the above scheme. The 
time sequence associated with this word also encodes the computation: we require the 
time difference between successive dg’s to be k+1, and if o? = a; then we require its time 
to be l greater than the time of the previous ag. The encoding in the time sequence is 
used to enforce the consecution requirement. 

We want to construct A which accepts precisely the timed words encoding the halting 
computations of M according to the above scheme. We only sketch the construction. 
A uses 2n + 1 clocks. The clock x is reset with each ao. While reading ag we require 
(x = k +1) to hold, and while reading a; we require (x = à) to hold. These conditions 
ensure that the encoding in the time sequence is consistent with the word. For each tape 
cell 7, we have two clocks x; and y;. The clock x; is reset with a7, for odd values of j, 
and the clock y; is reset with af, for even values of 7. Assume that the automaton has 
read the first 7 configurations, with 7 odd. The value of the clock x; represents the 2-th 
cell of the j-th configuration. Consequently, the possible choices for the values of a17! 
determined by examining the values of x;_1, z; and x;4, according to the transition rules 
for M. While reading the (j + 1)-th configuration, the y-clocks get set to appropriate 
values; these values are examined while reading the (J + 2)-th configuration. This ensures 
proper consecution of configurations. Proper initialization and halting can be enforced in 
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a straightforward way. The size of A is polynomial in n and the size of M. m 


Note that the source of this complexity is not the choice of R to model time. The 
PSPACE-hardness result can be proved if we leave the syntax of timed automata un- 
changed, but use the discrete domain N to model time. Also this complexity is insensitive 
to the encoding of the constants; the problem is PSPACE-complete even if we encode all 
constants in unary. 


5 Intractable problems 


In this section we show the universality problem for timed automata to be undecidable. 
The universality problem is to decide whether the language of a given automaton over 
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X comprises all the timed words over ©. Specifically, we show that the problem is IH- 
hard by reducing a Ii-hard problem of 2-counter machines. The class II} consists of 
highly undecidable problems, including some nonarithmetical sets (for an exposition of 
the analytical hierarchy consult, for instance, [39]). Note that the universality problem 
is same as deciding emptiness of the complement of the language of the automaton. 
The undecidability of this problem has several implications such as nonclosure under 
complement and undecidability of testing for language inclusion. 


5.1 A “}-complete problem 


A nondeterministic 2-counter machine M consists of two counters C and D, and a se- 
quence of n instructions. Each instruction may increment or decrement one of the coun- 
ters, or Jump, conditionally upon one of the counters being zero. After the execution 
of a nonjump instruction, M proceeds nondeterministically to one of the two specified 
instructions. 

We represent a configuration of M by a triple (i,c,d), where 1 <i < n, c > 0, and 
d > 0 give the values of the location counter and the two counters C and D, respectively. 
The consecution relation on configurations is defined in the obvious way. A computation of 
M is an infinite sequence of related configurations, starting with the initial configuration 
(1,0,0). It is called recurring iff it contains infinitely many configurations in which the 
location counter has the value 1. 

The problem of deciding whether a nondeterministic Turing machine has, over the 
empty tape, a computation in which the starting state is visited infinitely often, is known 
to be /}-complete [19]. Along the same lines we obtain the following result. 


Lemma 5.1 The problem of deciding whether a given nondeterministic 2-counter ma- 
chine has a recurring computation, is Sj-hard. m 


5.2 Undecidability of the universality problem 


Now we proceed to encode the computations of 2-counter machines using timed automata, 
and use the encoding to prove the undecidability result. 


Theorem 5.2 Given a timed automaton over an alphabet Ÿ the problem of deciding 
whether it accepts all timed words over © is IIj-hard. 


PROOF. We encode the computations of a given 2-counter machine M with n instruc- 
tions using timed words over the alphabet {b1,...b,,a1,a2}. A configuration (ż, c,d) is 
represented by the sequence b;a$af. We encode a computation by concatenating the se- 
quences representing the individual configurations. We use the time sequence associated 
with a timed word o to express that the successive configurations are related as per the 
requirements of the program instructions. We require that the subsequence of o corre- 
sponding to the time interval [j, 7 + 1) encodes the j-th configuration of the computation. 
Note that the denseness of the underlying time domain allows the counter values to get 
arbitrarily large. To enforce a requirement such as the number of a; symbols in two in- 
tervals encoding the successive configurations is the same we require that every a, in the 
first interval has a matching a, at distance 1 and vice versa. 

Define a timed language Dundee as follows. (0,7) is in Lundec iff 
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CRE b afta% baa? -.. such that (i1, c1, d1), (ta, Ca, do) +++ is a recurring computa- 


tion of M. 
e For all j > 1, the time of b; is J. 
e For all 7 > 1, 


— if cj41 = c; then for every a; at time ¢ in the interval (j, j + 1) there is an ay 
at time t+ 1. 


— if cj41 = c; +1 then for every a, at time t in the interval (J + 1,7 + 2) except 
the last one, there is an a, at time t — 1. 


— if cj41 = c; — 1 then for every a; at time t in the interval (J, j + 1) except the 
last one, there is an a, at time { +1. 


Similar requirements hold for a ’s. 


Clearly, Dundee is nonempty iff M has a recurring computation. We will construct a timed 
automaton Agndee Which accepts the complement of Landec. Hence Aundee accepts every 
timed word iff M does not have a recurring computation. The theorem follows from 
Lemma 5.1. 

The desired automaton Ayndce is a disjunction of several TBAs. 

Let Ao be the TBA which accepts (0,7) iff for some integer j > 1, either there is no b 
symbol at time j, or the subsequence of o in the time interval (J, j +1) is not of the form 
aïas. It is easy to construct such a timed automaton. 

A timed word (9,7) in Landec Should encode the initial configuration over the interval 
[1,2). Let Amz be the TBA which requires that the subsequence of o corresponding to 
the interval [1, 2) is not b1; it accepts the language {(0,7) | (o1 4 61) V (mı 4 1)V(r < 2)}. 

For each instruction 1 <7 < n we construct a TBA A;. A; accepts (0,7) iff the timed 
word has b; at some time t, and the configuration corresponding to the subsequence in 
[t+ 1,¢ +2) does not follow from the configuration corresponding to the subsequence in 
[t,t+1) by executing the instruction à. We give the construction for a sample instruction, 
say, “increment the counter D and jump nondeterministically to instruction 3 or 5”. The 
automaton A; is the disjunction of the following six TBAs A},...A®. 

Let A} be the automaton which accepts (o,r) iff for some j > 1, o; = b;, and at time 
Tj + 1 there is neither 63 nor 65. It is easy to construct this automaton. 


Let A? be the following TBA: 


la. ,x=1? 


x1? 


In this figure, an edge without a label means that the transition can be taken on every 
input symbol. While in state s2, the automaton cannot accept a symbol a, if the condition 
(x = 1) holds. Thus A? accepts (0,7) iff there is some b; at time t followed by an ay at 
time t < (t + 1) such that there is no matching a, at time (t + 1). 
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Similarly we can construct A? which accepts (ø, T) iff there is some b; at time t, and 
for some t < (t + 1) there is no a; at time t but there is an a, at time (t +1). The 
complements of A? and A? together ensure proper matching of ay’s. 

Along similar lines we ensure proper matching of az symbols. Let A? be the automaton 
which requires that for some b; at time t, there is an az at some t’ < (t +1) with no match 
at (t +1). Let A? be the automaton which says that for some b; at time ¢ there are two 
azs in (t+1,t+2) without matches in (¢,¢+1). Let A’ be the automaton which requires 
that for some b; at time ¢ the last az in the interval (t + 1,t + 2) has a matching az in 
(t,t +1). Now consider a word (o,7) such that there is b; at some time ¢ such that the 
encoding of a2’s in the intervals (t,t + 1) and (t + 1,t + 2) do not match according to 
the desired scheme. Let the number of az’s in (t,t + 1) and in (t+ 1,t+ 2) be k and l 
respectively. If k > l then the word is accepted by A?. If k = l, then either there is no 
match for some az in (t,t + 1), or every az in (t,t + 1) has a match in (t + 1,t + 2). In 
the former case the word is accepted by 4, and in the latter case it is accepted by A’. 
If k < l the word is accepted by AŽ. 

The requirement that the computation be not recurring translates to the requirement 
that b appears only finitely many times in ø. Let Arcur be the Büchi automaton which 
expresses this constraint. 


Putting all the pieces together we claim that the language of the disjunction of Ao, 
Ainits Arceur, and each of A;, is the complement of Landec. M 


It is shown in [5] that the satisfiability problem for a real-time extension of the propo- 
sitional linear temporal logic PTL becomes undecidable if a dense domain is chosen to 
model time. Thus our undecidability result is not unusual for formalisms reasoning about 
dense real-time. Obviously, the universality problem for TMAs is also undecidable. We 
have not been able to show that the universality problem is II}-complete, an interest- 
ing problem is to locate its exact position in the analytical hierarchy. In the following 
subsections we consider various implications of the above undecidability result. 


5.3 Inclusion and equivalence 


Recall that the language inclusion problem for Buchi automata can be solved in PSPACE. 
However, it follows from Theorem 5.2 that there is no decision procedure to check whether 
the language of one TBA is a subset of the other. This result is an obstacle in using timed 
automata as a specification language for automatic verification of finite-state real-time 
systems. 


Corollary 5.3 Given two TBAs A, and A over an alphabet Y, the problem of checking 
L(A) € L(A) is I-hard. 
PROOF. We reduce the universality problem for a given timed automaton A over © to 


the language inclusion problem. Let 4,,;, be an automaton which accepts every timed 
word over X. The automaton A is universal iff L(Aui.) € L(A). m 


Now we consider the problem of testing equivalence of two automata. A natural 
definition for equivalence of two automata uses equality of the languages accepted by the 
two. However alternative definitions exist. We will explore one such notion. 
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Definition 5.4 For timed Büchi automata A; and A over an alphabet Y, define 
Ai~1 A iff L(A) = L(A). Define Ay ~g Az iff for all timed automata A over F, 
L(A) A L(A) is empty precisely when L(A) A L( A2) is empty. m 


For a class of automata closed under complement the above two definitions of equiv- 
alence coincide. However, these two equivalence relations differ for the class of timed 
regular languages because of the nonclosure under complement (to be proved shortly). In 
fact, the second notion is a weaker notion: A; ~1 A2 implies A, ~2 A2, but not vice versa. 
The motivation behind the second definition is that two automata (modeling two finite- 
state systems) should be considered different only when a third automaton (modeling the 
observer or the environment) composed with them gives different behaviors: in one case 
the composite language is empty, and in the other case there is a possible joint execution. 
The proof of Theorem 5.2 can be used to show undecidability of this equivalence also. 
Note that the problems of deciding the two types of equivalences lie at different levels of 
the hierarchy of undecidable problems. 


Theorem 5.5 For timed Büchi automata A; and A over an alphabet ©, 


1. The problem of deciding whether A, +; 42 is IT-hard. 


2. The problem of deciding whether A, +2 Az is complete for the co-r.e. class. 


PROOF. The language of a given TBA A is universal iff A+, Aunis. Hence the IH- 
hardness of the universality problem implies I[j-hardness of the first type of equivalence. 

Now we show that the problem of deciding nonequivalence, by the second definition, 
is recursively enumerable. If the two automata are inequivalent then there exists an 
automaton A over È such that only one of L(A) A L(A) and L(A) N L(A) is empty. 
Consider the following procedure P: P enumerates all the TBAs over © one by one. 
For each TBA A, it checks for the emptiness of L(A) L(A) and the emptiness of 
L(A) A L(4). If P ever finds different answers in the two cases, it halts saying that A; 
and A, are not equivalent. 

Finally we prove that the problem of deciding the second type of equivalence is unsolv- 
able. We use the encoding scheme used in the proof of Theorem 5.2. The only difference 
is that we use the halting problem of a deterministic 2-counter machine M instead of the 
recurring computations of a nondeterministic machine. Recall that the halting problem 
for deterministic 2-counter machines is undecidable. Assume that the n-th instruction 
is the halting instruction. We obtain Angee by replacing the disjunct A4, by an au- 
tomaton which accepts (o,7) iff bn does not appear in o. The complement of L(A ndee) 
consists of the timed words encoding the halting computation. 

We claim that Aux ~2 Andee iff the machine M does not halt. If M does not halt 
then Andee accepts all timed words, and hence, its language is the same as that of Auniv. 
If M halts, then we can construct a timed automaton Arau which accepts a particular 
timed word encoding the halting computation of M. If M halts in k steps, then Ajay 
uses k clocks to ensure proper matching of the counter values in successive configurations. 
The details are very similar to the PSPACE-hardness proof of Theorem 4.17. L( Anat) N 
L(Auniv) is nonempty whereas L( Anan) O L(A indec) is empty, and thus Agni, and Andee 
are inequivalent in this case. This completes the proof. m 
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Figure 11: Noncomplementable automaton 


5.4 Nonclosure under complement 


The ITi-hardness of the inclusion problem implies that the class of TBAs is not closed 
under complement. 


Corollary 5.6 The class of timed regular languages is not closed under complementation. 


PROOF. Given TBAs A, and A over an alphabet ©, L( A1) € L(A2) iff the intersection 
of L(A) and the complement of L( A2) is empty. Assume that TBAs are closed under 
complement. Consequently, L( A1) Z L(Az) iff there is a TBA A such that L(A) L(A) 
is nonempty, but L( A2) N L(A) is empty. That is, L(A1) Z L(A) iff Ar and A are 
inequivalent according to +2. From Theorem 5.5 it follows that the complement of the 
inclusion problem is recursively enumerable. This contradicts the Hj-hardness of the 
inclusion problem. m 


The following example provides some insight regarding the nonclosure under comple- 
mentation. 


Example 5.7 The language accepted by the automaton of Figure 11 over {a} is 


Herr) (Sees >i. eS ee 


The complement of this language cannot be characterized using a TBA. The comple- 
ment needs to make sure that no pair of a’s is separated by distance 1. Since there is no 
bound on the number of a’s that can happen in a time period of length 1, keeping track of 
the times of all the a’s within the past 1 time unit, would require an unbounded number 
of clocks. m 


5.5 Choice of the clock constraints 


In this section we consider some of the ways to modify our definition of clock constraints 
and indicate how these decisions affect the expressiveness and complexity of different 
problems. Recall that our definition of the clock constraints allows Boolean combinations 
of atomic formulas which compare clock values with (rational) constants. With this 
vocabulary, timed automata can express only constant bounds on the delays between 
transitions. 

First suppose we extend the definition of clock constraints to allow subformulas involv- 
ing two clocks such as (x < y+ c). In particular, in Definition 3.6 of the set ®(X) of clock 
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2x=3y 
Figure 12: Automaton with clock constraints using + 


constraints, we allow, as atomic constraints, the conditions (x < y+c) and (a+c < y), for 
x,y € X and c € Q. Thus the allowed clock constraints are quantifier-free formulas using 
the primitives of comparison (<) and addition by rational constants (+c). The untiming 
construction can handle this extension very easily. We need to refine the equivalence 
relation on clock interpretations. Now, in addition to the previous conditions, we require 
that two equivalent clock interpretations agree on all the subformulas appearing in the 
clock constraints. Also it is easy to prove that this extension of clock constraints does not 
add to the expressiveness of timed automata. 

Next let us allow the primitive of addition in the clock constraints. Now we can write 
clock constraints such as (x +y < x! + y’) which allow the automaton to compare various 
delays. This greatly increases the expressiveness of the formalism. The language of the 
automaton in the following example is not timed regular. 


Example 5.8 Consider the automaton of Figure 12 with the alphabet {a,b,c}. It ex- 
presses the property that the symbols a, b, and c occur cyclically, and the delay between 
b and c is always twice the delay between the last pair of a and b. The language is defined 
by 

{((abe)*, 7) | V9. [rai — 733-1) = 2(Ts;-1 — T3j-2)]f- 


Intuitively, the constraints involving addition are too powerful and cannot be imple- 
mented by finite-state systems. Even if we constrain all events to occur at integer time 
values (i.e., discrete-time model), to check that the delay between first two symbols is 
same as the delay between the next two symbols, an automaton would need an unbounded 
memory. Thus with finite resources, an automaton can compare delays with constants, 
but cannot remember delays. In fact, we can show that introducing addition in the syntax 
of clock constraints makes the emptiness problem for timed automata undecidable. 


Theorem 5.9 Allowing the addition primitive in the syntax of clock constraints makes 
the emptiness problem for timed automata II}-hard. 

PROOF. As in the proof of Theorem 5.2 we reduce the problem of recurring compu- 
tations of nondeterministic 2-counter machines to the emptiness problem for time au- 
tomata using the primitive +. The alphabet is {a,b1,...b,}. We say that a timed 
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word (0,7) encodes a computation (21, ¢1, d1), (i2, C2, d2) +--+ of the 2-counter machine iff 
o = b;,ab;,ab;, +++ with 72; — T2j-1 = cj, and Taji — Ta; = d; for all 7 > 1. Thus the delay 
between b and the following a encodes the value of the counter C, and the delay between 
a and the following b encodes the value of D. We construct a timed automaton which 
accepts precisely the timed words encoding the recurring computations of the machine. 
The primitive of + is used to express a consecution requirement such as the value of the 
counter C remains unchanged. The details of the proof are quite straightforward. m 


6 Deterministic timed automata 


The results of Section 5 show that the class of timed automata is not closed under com- 
plement, and one cannot automatically compare the languages of two automata. In this 
section we define deterministic timed automata, and show that the class of languages ac- 
cepted by deterministic timed Muller automata (DTMA) is closed under all the Boolean 
operations. 


6.1 Definition 


Recall that in the untimed case a deterministic transition table has a single start state, 
and from each state, given the next input symbol, the next state is uniquely determined. 
We want a similar criterion for determinism for the timed automata: given an extended 
state and the next input symbol along with its time of occurrence, the extended state 
after the next transition should be uniquely determined. So we allow multiple transitions 
starting at the same state with the same label, but require their clock constraints to be 
mutually exclusive so that at any time only one of these transitions is enabled. 


Definition 6.1 A timed transition table (X, S, So, C, E) is called deterministic iff 
1. it has only one start state, [So] = 1, and 


2. for all s € S, for all a € X, for every pair of edges of the form (s,—,a,—,61) and 
(8, —, a, —, 62), the clock constraints 6, and 62 are mutually exclusive (i.e., 61 A 62 is 
unsatisfiable). 


A timed automaton is deterministic iff its timed transition table is deterministic. m 


Note that in absence of clocks the above definition matches with the definition of 
determinism for transition tables. Thus every deterministic transition table is also a 
deterministic timed transition table. Let us consider an example of a DIMA. 


Example 6.2 The DTMA of Figure 13 accepts the language Ler of Example 3.13: 


Low = {((ab)*,7) | BV) 2 i (Taj < rai +2) 


The Muller acceptance family is given by {{51,52}}. The state sı has two mutually 
exclusive outgoing transitions on b. The acceptance condition requires that the transition 
with the clock constraint (x > 2) is taken only finitely often. m 
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a,x:=0 b, (x<2) ? 


b, (x>2) ? a,x:=0 
Figure 13: Deterministic timed Muller automaton 


Deterministic timed automata can be easily complemented because of the following 
property: 


Lemma 6.3 A deterministic timed transition table has at most one run over a given 
timed word. 


PROOF. Consider a deterministic timed transition table A, and a timed word (0,7). 
The run starts at time 0 with the extended state (50, vo} where so is the unique start state. 
Suppose the extended state of A at time 7;-1 is (s,v), and the run has been constructed 
up to (j — 1) steps. By the deterministic property of A, at time 7; there is at most one 
transition (s, s’,a;,6, A) such that the clock interpretation at time 7;, V +T; —7;-1, satisfies 
6. If such a transition does not exist then A has no run over (ø, T). Otherwise, this choice 
of transition uniquely extends the run to the j-th step, and determines the extended state 
at time 7;. The lemma follows by induction. m 


6.2 Closure properties 


Now we consider the closure properties for deterministic timed automata. Like in the 
untimed case, the class of languages accepted by deterministic timed Muller automata is 
closed under all Boolean operations. 


Theorem 6.4 The class of timed languages accepted by deterministic timed Muller au- 
tomata is closed under union, intersection, and complementation. 


PROOF. We define a transformation on DTMAs to make the proofs easier; for every 
DTMA A = (}, S, so, C, E, F) we construct another DIMA A* by completing A as fol- 
lows. First we add a dummy state q to the automaton. From each state s (including 
q), for each symbol a, we add an a-labeled edge from s to q. The clock constraint for 
this edge is the negation of the disjunction of the clock constraints of all the a-labeled 
edges starting at s. We leave the acceptance condition unchanged. This construction 
preserves determinism as well as the set of accepted timed words. The new automaton 
A* has the property that for each state s and each input symbol a, the disjunction of the 
clock constraints of the a-labeled edges starting at s is a valid formula. Observe that A” 
has precisely one run over any timed word. We call such an automaton complete. In the 
remainder of the proof we assume each DIMA to be complete. 

Let A; = (X, Si, 50,, Ci, Ei, Fi), for à = 1,2, be two complete DTMAs with disjoint sets 
of clocks. First we construct a timed transition table A using a product construction. 
The set of states of A is Sı x S2. Its start state is (s0,,50,). The set of clocks is Cy U Co. 
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The transitions of A are defined by coupling the transitions of the two automata having 
the same label. Corresponding to an Aj-transition (51, t1, a, A1,61) and an A»-transition 
(52, ta, a, Ag, 62), A has a transition ((51, 52), (t1, t2), a, A1 U A2, 61 A 62). It is easy to check 
that A is also deterministic. A has a unique run over each (o,7), and this run can be 
obtained by putting together the unique runs of A; over (0,7). 

Let F' consist of the sets F € Sı x So such that the projection of F onto the first 
component is an accepting set of A; that is, 


F! = {F C Si x Sa | {s € Sy | ds’ € So. (s, 8’) EF} E Fy}. 


Hence a run r of A is an accepting run for A, iff inf(r) € F'. Similarly define F’ to 
consist of the sets F such that {s’ | ds € S1. (s,s’) € F} is in F2. Now coupling A with 
the Muller acceptance family F' U F? gives a DIMA accepting L(A1) U L( A2), whereas 
using the acceptance family FT N F? gives a DTMA accepting L(A;) N L(A). 

Finally consider complementation. Let A be a complete DIMA (5,8, so, C, E, F). A 
has exactly one run over a given timed word. Hence, (o, 7) is in the complement of L(A) iff 
the run of A over it does not meet the acceptance criterion of A. The complement language 


is, therefore, accepted by a DIMA which has the same underlying timed transition table 
as A, but its acceptance condition is given by 25 — F. m 


Now let us consider the closure properties of DTBAs. Recall that deterministic Buchi 
automata (DBA) are not closed under complement. The property that “there are infinitely 
many a’s” is specifiable by a DBA, however, the complement property, “there are only 
finitely many a’s” cannot be expressed by a DBA. Consequently we do not expect the 
class of DT'BAs to be closed under complementation. However, since every DTBA can be 


viewed as a DIMA, the complement of a DTBA-language is accepted by a DIMA. The 


next theorem states the closure properties. 


Theorem 6.5 The class of timed languages accepted by DTBAs is closed under union 
and intersection, but not closed under complement. The complement of a DTBA language 
is accepted by some DTMA. 


PROOF. For the case of union, we construct the product transition table as in case of 
DTMAs (see proof of Theorem 6.4). The accepting set is {(s,s’) | s € Fy Vs’ € Fo}. 

A careful inspection of the product construction for TBAs (see proof of Theorem 3.15) 
shows that it preserves determinism. The closure under intersection for DTBAs follows. 

The nonclosure of deterministic Buchi automata under complement leads to the non- 
closure for DTBAs under complement. The language {(0,7) | o € (b*a)”} is specifiable by 
a DBA. Its complement language {(0,7) |o € (a + b)*b*} is not specifiable by a DTBA. 
This claim follows from Lemma 6.7 (to be proved shortly), and the fact that the language 
(a + b)*b® is not specifiable by a DBA. 

Let A = (%,8,50,C,E,F) be a complete deterministic automaton. (0,7) is in the 
complement of L(A) iff the (unique) run of A over it does not meet the acceptance 
criterion of A. The complement language is, therefore, accepted by a DIMA with the 
same underlying timed transition table as A, and the acceptance family 25-*. m 
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6.3 Decision problems 


In this section we examine the complexity of the emptiness problem and the language 
inclusion problem for deterministic timed automata. 

The emptiness of a timed automaton does not depend on the symbols labeling its 
edges. Consequently, checking emptiness of deterministic automata is no simpler; it is 
PSPACE-complete. 

Since deterministic automata can be complemented, checking for language inclusion 
is decidable. In fact, while checking L(A) € L(A2), only A need be deterministic, A, 
can be nondeterministic. The problem can be solved in PSPACE: 


Theorem 6.6 For a timed automaton À; and a deterministic timed automaton Ag, the 


problem of deciding whether L(A,) is contained in L(A2) is PSPACE-complete. 


PROOF. PSPACE-hardness follows, even when A, is deterministic, from the fact that 
checking for the emptiness of the language of a deterministic timed automaton is PSPACE- 
hard. Let Ampy be a deterministic automaton which accepts the empty language. Now 
for a deterministic timed automaton A, L(A) is empty iff L(A) € L(Aempty). 

Observe that [(A1) € L(A2) iff the intersection of L(A) with the complement of 
L(A2) is empty. Recall that complementing the language of a deterministic automaton 
corresponds to complementing the acceptance condition. First we construct a timed 
transition table A from the timed transition tables of A, and A using the product 
construction (see proof of Theorem 6.4). The size of A is proportional to the product of 
the sizes of A;. Then we construct the region automaton R(A). L(A1) Z L(A2) iff R(A) 
has a cycle which is accessible from its start state, meets the progressiveness requirement, 
the acceptance criterion for A, and the complement of the acceptance criterion for Az. 
The existence of such a cycle can be checked in space polynomial in the size of A, as in 
the proof of PSPACE-solvability of emptiness (Theorem 4.17). m 


6.4 Expressiveness 


In this section we compare the expressive power of the various types of timed automata. 

Every DTBA can be expressed as a DTMA simply by rewriting its acceptance condi- 
tion. However the converse does not hold. First observe that every w-regular language 
is expressible as a DMA, and hence as a DTMA. On the other hand, since deterministic 
Buchi automata are strictly less expressive than deterministic Muller automata, certain 
w-regular languages are not specifiable by DBAs. The next lemma shows that such lan- 
guages cannot be expressed using DTBAs either. It follows that DTBAs are strictly less 
expressive than DTMAs. In fact, DT MAs are closed under complement, whereas DTBAs 
are not. 


Lemma 6.7 For an w-language L, the timed language {(0,7) | o € L} is accepted by 
some DTBA iff L is accepted by some DBA. 

PROOF. Clearly if L is accepted by a DBA, then {(o,7) | o € L} is accepted by the 
same automaton considered as a timed automaton. 

Now suppose that the language {(0,7) | o € L} is accepted by some DTBA A. We 
construct another DTBA A’ such that L(A’) = {(0,7) | (a € L) A Wir = at}. A’ 
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Class of timed languages Operations closed under 


TMA = TBA union, intersection 
U 


DTMA union, intersection, complement 
U 
DTBA union, intersection 


Figure 14: Classes of timed automata 


requires time to increase by 1 at each transition. The automaton A’ can be obtained from 
A by introducing an extra clock +. We add the conjunct x = 1 to the clock constraint of 
every edge in A and require it to be reset on every edge. A’ is also deterministic. 

The next step is the untiming construction for A’. Observe that Untime(L(A’)) = L. 
While constructing R(A’) we need to consider only those clock regions which have all 
clocks with zero fractional parts. Since the time increase at every step is predetermined, 
and A’ is deterministic, it follows that R(A’) is a deterministic transition table. We need 
not check the progressiveness condition also. It follows that the automaton constructed 
by the untiming procedure is a DBA accepting L. m 


From the above discussion one may conjecture that a DIMA language L is a DIBA 
language if Untime(L) is a DBA language. To answer this let us consider the convergent 
response property Lat specifiable using a DIMA (see Example 6.2). This language in- 
volves a combination of liveness and timing. We conjecture that no DTBA can specify 
this property (even though Untime(Lat) can be trivially specified by a DBA). 

Along the lines of the above proof we can also show that for an w-language L, the 
timed language {(0,7) |o € L} is accepted by some DTMA (or TMA, or TBA) iff L is 
accepted by some DMA (or MA, or BA, respectively). 

Since DT MAs are closed under complement, whereas TMAs are not, it follows that the 
class of languages accepted by DTMAs is strictly smaller than that accepted by TMAs. 
In particular, the language of Example 5.7, (“some pair of a’s is distance 1 apart”) is not 
representable as a DTMA; it relies on nondeterminism in a crucial way. 

We summarize the discussion on various types of automata in the table of Figure 14 
which shows the inclusions among various classes and the closure properties of various 
classes. Compare this with the corresponding results for the various classes of w-automata 
shown in Figure 15. 


7 Verification 


In this section we discuss how to use the theory of timed automata to prove correctness 
of finite-state real-time systems. We have chosen a simple formulation of the verification 
problem, but it suffices to illustrate the application of timed automata to verification 
problems. We start by introducing time in linear trace semantics for concurrent processes. 
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Class of w-languages Operations closed under 


MA = BA = DMA | union, intersection, complement 


U 
DBA union, intersection 


Figure 15: Classes of w-automata 


7.1 Trace semantics 


In trace semantics, we associate a set of observable events with each process, and model 
the process by the set of all its traces. A trace is a (linear) sequence of events that may 
be observed when the process runs. For example, an event may denote an assignment of a 
value to a variable, or pressing a button on the control panel, or arrival of a message. All 
events are assumed to occur instantaneously. Actions with duration are modeled using 
events marking the beginning and the end of the action. Hoare originally proposed such 
a model for CSP [22]. 

In our model, a trace will be a sequence of sets of events. Thus if two events a and b 
happen simultaneously, the corresponding trace will have a set {a, 6} in our model. In the 
usual interleaving models, this set will be replaced by all possible sequences, namely, a 
followed by 6 and 6 followed by a. Also we consider only infinite sequences, which model 
nonterminating interaction of reactive systems with their environments. 

Formally, given a set A of events, a trace o = 0102... is an infinite word over P*(A) 
— the set of nonempty subsets of A. An untimed process is a pair (A, X) comprising of 
the set A of its observable events and the set X of its possible traces. 


Example 7.1 Consider a channel P connecting two components. Let a represent the 
arrival of a message at one end of P, and let 6 stand for the delivery of the message at the 
other end of the channel. The channel cannot receive a new message until the previous 
one has reached the other end. Consequently the two events a and b alternate. Assuming 
that the messages keep arriving, the only possible trace is 


op : {a} — {b} > {a} > {b} > -... 


Often we will denote the singleton set {a} by the symbol a. The process P is represented 
by ({a,b},(ab)*). m 


Various operations can be defined on processes; these are useful for describing com- 
plex systems using the simpler ones. We will consider only the most important of these 
operations, namely, parallel composition. The parallel composition of a set of processes 
describes the joint behavior of all the processes running concurrently. 

The parallel composition operator can be conveniently defined using the projection 
operation. The projection of o € P*T(A)* onto B € A (written o[B) is formed by 
intersecting each event set in o with B and deleting all the empty sets from the sequence. 
For instance, in Example 7.1 oP[{a} is the trace a”. Notice that the projection operation 
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may result in a finite sequence; but for our purpose it suffices to consider the projection 
of a trace o onto B only when 6; N B is nonempty for infinitely many 2. 

For a set of processes {P; = (A;, X;) | ¿ = 1,2,...n}, their parallel composition ||; P; 
is a process with the event set U;A; and the trace set 


{o € Pt (U;A;)” | Ai o |A; € X;}. 


Thus ø is a trace of ||; P; iff of A; is a trace of P; for each à = 1,...n. When there are 
no common events the above definition corresponds to the unconstrained interleavings of 
all the traces. On the other hand, if all event sets are identical then the trace set of the 
composition process is simply the set-theoretic intersection of all the component trace 
sets. 


Example 7.2 Consider another channel Q connected to the channel P of Example 7.1. 
The event of message arrival for Q is same as the event b. Let c denote the delivery of 
the message at the other end of Q. The process Q is given by ({b,c},(bc)*). 

When P and Q are composed we require them to synchronize on the common event 
b, and between every pair of b’s we allow the possibility of the event a happening before 
the event c, the event c happening before a, and both occurring simultaneously. Thus 
| P || Q] has the event set {a,b,c}, and has an infinite number of traces. m 


In this framework, the verification question is presented as an inclusion problem. Both 
the implementation and the specification are given as untimed processes. The implemen- 
tation process is typically a composition of several smaller component processes. We 
say that an implementation (A, Xz) is correct with respect to a specification (A, Xs) iff 
Xr C Xs. 


Example 7.3 Consider the channels of Example 7.2. The implementation process is 
[P || Q]. The specification is given as the process S = ({a,b,c},(abc)”). Thus the 
specification requires the message to reach the other end of Q before the next message 
arrives at P. In this case, [P || Q] does not meet the specification 5, for it has too many 
other traces, specifically, the trace ab(acb)”. m 


Notice that according to the above definition of the verification problem, an imple- 
mentation with X; = Ÿ is correct with respect to every specification. To overcome this 
problem, one needs to distinguish between output events (the events controlled by the 
system), and the input events (the events controlled by its environment), and require 
that the implementation should not prevent its environment from executing the input 
events [14]. We believe that distinguishing between input and output events and intro- 
ducing timing are two orthogonal issues, and our goal in this paper is to indicate how to 
address the latter problem. 


7.2 Adding timing to traces 


An untimed process models the sequencing of events but not the actual times at which 
the events occur. Thus the description of the channel in Example 7.1 gives only the 
sequencing of the events a and b, and not the delays between them. Timing can be added 
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to a trace by coupling it with a sequence of time values. We choose the set of reals to 
model time. 

Recall that a time sequence T = 7,72... is an infinite sequence of time values 7; € R 
satisfying the strict monotonicity and progress constraints. A timed trace over a set of 
events A is a pair (0,7) where o is a trace over A, and 7 is a time sequence. Note that, 
since different events happening simultaneously appear in a single element in a trace, 
there is no reason to allow the possibility of the adjacent elements in a trace having the 
same associated time value. 

In a timed trace (0,7), each 7; gives the time at which the events in o; occur. In 
particular, 7, gives the time of the first observable event; we always assume 7 > 0, and 
define 7 = 0. Observe that the progress condition implies that only a finite number of 
events can happen in a bounded interval of time. In particular, it rules out convergent time 
sequences such as 1/2,3/4,7/8,... representing the possibility that the system participates 
in infinitely many events before time 1. 

A timed process is a pair (A, L) where A is a finite set of events, and L is a set of 
timed traces over A. 


Example 7.4 Consider the channel P of Example 7.1 again. Assume that the first 
message arrives at time 1, and the subsequent messages arrive at fixed intervals of length 
3 time units. Furthermore, it takes 1 time unit for every message to traverse the channel. 
The process has a single timed trace 


pp = (a,1) — (6,2) — (a,4) > (6,5) > ++: 
and it is represented as a timed process PT = ({a,6},{pp}). m 


The operations on untimed processes are extended in the obvious way to timed pro- 
cesses. To get the projection of (0,7) onto B € A, we first intersect each event set in 
o with B and then delete all the empty sets along with the associated time values. The 
definition of parallel composition remains unchanged, except that it uses the projection 
for timed traces. Thus in parallel composition of two processes, we require that both the 
processes should participate in the common events at the same time. This rules out the 
possibility of interleaving: parallel composition of two timed traces is either a single timed 
trace or is empty. 


Example 7.5 As in Example 7.2 consider another channel Q connected to P. For Q, 
as before, the only possible trace is ag = (bc). In addition, the timing specification of 
Q says that the time taken by a message for traversing the channel, that is, the delay 
between b and the following c, is some real value between 1 and 2. The timed process QT 
has infinitely many timed traces, and it is given by 


| {b,c}, {(oo,T) | Vi. (rois + 1 < Tai < Pia + 2)} J. 


The description of [ PT || QT] is obtained by composing pp with each timed trace of QT. 
The composition process has uncountably many timed traces. An example trace is 


(a,1) — (6,2) — (63.8) — (a,4) — (6,5) — (c,6.02) > --- 
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The time values associated with the events can be discarded by the Untime operation. 
For a timed process P = (A, L), Untime[(A, L)] is the untimed process with the event set 
A and the trace set consisting of traces o such that (0,7) € L for some time sequence 7. 

Note that 

Untime(P || P2) € Untime(P,) || Untime( Pz). 


However, as Example 7.6 shows, the two sides are not necessarily equal. In other words, 
the timing information retained in the timed traces constrains the set of possible traces 
when two processes are composed. 


Example 7.6 Consider the channels of Example 7.5. Observe that Untime(PT) = P and 
Untime(Q?) = Q. [PT || QT] has a unique untimed trace (abc)”. On the other hand, 
| P || Q] has infinitely many traces; between every pair of b events all possible orderings 
of an event a and an event c are admissible. m 


The verification problem is again posed as an inclusion problem. Now the implemen- 
tation is given as a composition of several timed processes, and the specification is also 
given as a timed process. 


Example 7.7 Consider the verification problem of Example 7.3 again. If we model the 
implementation as the timed process | PT || QT] then it meets the specification S. The 
specification S is now a timed process ({a, b, c}, {((abc)”, 7)}). Observe that, though the 
specification $ constrains only the sequencing of events, the correctness of | PF || QT] 
with respect to S crucially depends on the timing constraints of the two channels. m 


7.3 w-automata and verification 


We start with an overview of the application of Buchi automata to verify untimed pro- 
cesses [45, 44]. Observe that for an untimed process (A, X), X is an w-language over the 
alphabet P*(A). If it is a regular language it can be represented by a Büchi automaton. 

We model a finite-state (untimed) process P with event set A using a Büchi automaton 
Ap over the alphabet Pt(A). The states of the automaton correspond to the internal 
states of the process. The automaton Ap has a transition (s,s’,a), with a C A, if the 
process can change its state from s to s’ participating in the events from a. The acceptance 
conditions of the automaton correspond to the fairness constraints on the process. The 
automaton Ap accepts (or generates) precisely the traces of P; that is, the process P is 
given by (A, L(Ap)). Such a process P is called an w-regular process. 

The user describes a system consisting of various components by specifying each in- 
dividual component as a Buchi automaton. In particular, consider a system 7 com- 
prising of n components, where each component is modeled as an w-regular process 
P; = (4;,L(4;)). The implementation process is |||; P;]. We can automatically con- 
struct the automaton for / using the construction for language intersection for Buchi 
automata. Since the event sets of various components may be different, before we apply 
the product construction, we need to make the alphabets of various automata identical. 
Let A = U;A;. From each A;, we construct an automaton A! over the alphabet P(A) 
such that L(A;) = {a € PHAY | ofA; € L(A;)}. Now the desired automaton A; is the 
product of the automata At. 
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The specification is given as an w-regular language S over P(A). The implementation 
meets the specification iff L( Ar) € S. The property S can presented as a Büchi automaton 
As. In this case, the verification problem reduces to checking emptiness of L(A7;)NL(As)°. 

The verification problem is PSPACE-complete. The size of A; is exponential in the 
description of its individual components. If As is nondeterministic, taking the comple- 
ment involves an exponential blow-up, and thus the complexity of verification problem is 
exponential in the size of the specification also. However, if As is deterministic, then the 
complexity is only polynomial in the size of the specification. 

Even if the size of the specification and the sizes of the automata for the individual 
components are small, the number of components in most systems of interest is large, 
and in the above method the complexity is exponential in this number. Thus the product 
automaton A; has a prohibitively large number of states, and this limits the applicability 
of this approach. Alternative methods which avoid enumeration of all the states in A; 
have been proposed, and shown to be applicable to verification of some moderately sized 
systems [8, 18]. 


7.4 Verification using timed automata 


For a timed process (A, L), L is a timed language over PT(A). A timed regular process is 
one for which the set L is a timed regular language, and can be represented by a timed 
automaton. 

Finite-state systems are modeled by TBAs. The underlying transition table gives the 
state-transition graph of the system. We have already seen how the clocks can be used 
to represent the timing delays of various physical components. As before, the acceptance 
conditions correspond to the fairness conditions. Notice that the progress requirement 
imposes certain fairness requirements implicitly. Thus, with a finite-state process P, we 
associate a TBA Ap such that L( Ap) consists of precisely the timed traces of P. 

Typically, an implementation is described as a composition of several components. 
Each component should be modeled as a timed regular process P; = (A;, L(A;)). It is 
possible to construct a TBA A; which represents the composite process |||; P;]. To do 
this, first we need to make the alphabets of various automata identical, and then take the 
intersection. However, in the verification procedure we are about to outline, we will not 
explicitly construct the implementation automaton Ay. 

The specification of the system is given as another timed regular language S over the 
alphabet P(A), where A = U;A;. The system is correct iff L(Ar) C S. If S is given as a 
TBA, then in general, it is undecidable to test for correctness. However, if S is given as 
a DTMA As, then we can solve this as outlined in Section 6.3. 

Putting together all the pieces, we conclude: 


Theorem 7.8 Given timed regular processes P; = (4;, L(A;)), à = 1,...n, modeled 
by timed automata A;, and a specification as a deterministic timed automaton As, the 
inclusion of the trace set of |||; P;] in L(As) can be checked in PSPACE. 

PROOF. Consider TBAs A; = (P*(A;),5;,5;,, Ci, Ei, Fi), = 1,...n, and the DTMA 
As = (P*(A),So,S0,, Co, Eo, F). Assume without loss of generality that the clock sets 
C;,2 =0,...n, are disjoint. 
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The verification algorithm constructs the transition table of the region automaton 
corresponding to the product A of the timed transition tables of A; with As. The set of 
clocks of A is C = U;C;. The states of A are of the form (s9,...8,) with each s; € Sj. 
The initial states of A are of the form (50,...5,) with each s; € Sa. A transition of A is 
obtained by coupling the transitions of the individual automata labeled with consistent 
event sets. A state s = (s9,...5,) has a transition to state s’ = (sj,...s/,) labeled 
with event set a € PT(A), clock constraint A;6;, and the set U;A; of clocks, iff for each 
0 < i <n, either there is a transition (s;, s4, a N Aj, À;,6;) € E;, or the automaton A; does 
not participate in this transition: si = s;, a N A; = 9, À; = 0, and 6; = true. 

The region automaton R(A) is defined from the product table A as described in 
Section 4. To test the desired inclusion, the algorithm searches for a cycle in the region 
automaton such that (1) it is accessible from the initial state of R(A), (2) it satisfies 
the progessiveness condition: for each clock x € C, the cycle contains at least one region 
satisfying [(x = 0) V ( > ¢,)], (3) since our definition of the composition requires that 
we consider only those infinite runs in which each automaton participates infinitely many 
times, we require that, for each 1 <2 < n, the cycle contains a transition in which the 
automaton A; participates, (4) the fairness requirements of all implementation automata 
A; are met: for each 1 <7 < n, the cycle contains some state whose 1-th component 
belongs to the accepting set F;, (5) the fairness condition of the specification is not met: 
the projection of the states in the cycle onto the component of As does not belong to the 
acceptance family F. The desired inclusion does not hold iff a cycle with all the above 
conditions can be found. 

Each state of the region automaton can be represented in space polynomial in the 
description of the input automata. It follows that the inclusion test can be performed in 


PSPACE. m 


The number of vertices in the region automaton is O[| As |L A; 249421401), and 
the time complexity of the above algorithm is linear in this number. There are mainly 
three sources of exponential blow-up: 


1. The complexity is proportional to the number of states in the global timed automa- 
ton describing the implementation |||; P;]. This is exponential in the number of 
components. 


2. The complexity is proportional to the product of the constants c,, the largest con- 
stant x is compared with, over all the clocks x involved. 


3. The complexity is proportional to the number of permutations over the set of all 
clocks. 


The first factor is present in the simplest of verification problems, even in the untimed 
case. Since the number of components is typically large, this exponential factor has been 
a major obstacle in implementing model-checking algorithms. 

The second factor is typical of any formalism to reason about quantitative time. The 
blow-up by actual constants is observed even for simpler, discrete models. Note that if 
the bounds on the delays of different components are relatively prime then this factor 
leads to a major blow-up in the complexity. 
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Figure 16: TRAIN 


Lastly, in the untiming construction, we need to account for all the possible orderings 
of the fractional parts of different clocks, and this is the source of the third factor. We 
remark that switching to a simpler, say discrete-time, model will avoid this blow-up in 
complexity. However since the total number of clocks is linear in the number of indepen- 
dent components, this blow-up is the same as that contributed by the first factor, namely, 
exponential in the number of components. 


7.5 Verification example 


We consider an example of an automatic controller that opens and closes a gate at a 
railroad crossing [29]. The system is composed of three components: TRAIN, GATE and 
CONTROLLER. 

The automaton modeling the train is shown in Figure 16. The event set is {approach, 
exit, in, out, idr}. The train starts in state so. The event idr represents its idling event; 
the train is not required to enter the gate. The train communicates with the controller 
with two events approach and exit. The events in and out mark the events of entry 
and exit of the train from the railroad crossing. The train is required to send the signal 
approach at least 2 minutes before it enters the crossing. Thus the minimum delay between 
approach and in is 2 minutes. Furthermore, we know that the maximum delay between 
the signals approach and exit is 5 minutes. This is a liveness requirement on the train. 
Both the timing requirements are expressed using a single clock x. 

The automaton modeling the gate component is shown in Figure 17. The event set 
is {raise, lower, up, down, idg}. The gate is open in state sg and closed in state 52. It 
communicates with the controller through the signals lower and raise. The events up and 
down denote the opening and the closing of the gate. The gate responds to the signal 
lower by closing within 1 minute, and responds to the signal raise within 1 to 2 minutes. 
The gate can take its idling transition zdg in states so or 52 forever. 

Finally, Figure 18 shows the automaton modeling the controller. The event set is 
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up, ~in out, ~up 


Figure 19: Safety property 


{approach, exit, raise, lower, idg}. The controller idle state is sọ. Whenever it receives 
the signal approach from the train, it responds by sending the signal lower to the gate. 
The response time is 1 minute. Whenever it receives the signal exit, it responds with a 
signal raise to the gate within 1 minute. 

The entire system is then 


[TRAIN || GATE || CONTROLLER]. 


The event set is the union of the event sets of all the three components. In this example, 
all the automata are particularly simple; they are deterministic, and do not have any 
fairness constraints (every run is an accepting run). The timed automaton A; specifying 
the entire system is obtained by composing the above three automata. 

The correctness requirements for the system are the following: 


1. Safety: Whenever the train is inside the gate, the gate should be closed. 
2. Real-time Liveness: The gate is never closed at a stretch for more than 10 minutes. 


The specification refers to only the events in, out, up, down. The safety property 
is specified by the automaton of Figure 19. An edge label in stands for any event set 
containing in, and an edge label “in, ~out” means any event set not containing out, but 
containing in. The automaton disallows in before down, and up before out. All the states 
are accepting states. 

The real-time liveness property is specified by the timed automaton of Figure 20. The 
automaton requires that every down be followed by up within 10 minutes. 

Note that the automaton is deterministic, and hence can be complemented. Further- 
more, observe that the acceptance condition is not necessary; we can include state sı 
also in the acceptance set. This is because the progress of time ensures that the self- 
loop on state sı with the clock constraint (x < 10) cannot be taken indefinitely, and the 
automaton will eventually visit state so. 

The correctness of A; against the two specifications can be checked separately as 
outlined in Section 7. Observe that though the safety property is purely a qualitative 
property, it does not hold if we discard the timing requirements. 
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~down (x<10) ? 


up, (x<10) ? 


Figure 20: Real-time liveness property 


8 New results on timed automata 


Timed automata provide a natural way of expressing timing delays of a real-time system. 
In this presentation, we have studied them from the perspective of formal language theory. 
Now we briefly review other results about timed automata. The precise formulation of 
timed automata is different in different papers, but the underlying idea remains the same. 

Timed automata are useful for developing a decision procedure for the logic MITL, a 
real-time extension of the linear temporal logic PTL [4]. The decision procedure constructs 
a timed automaton A, from a given MITL-formula ¢, such that A, accepts precisely the 
satisfying models of 6; thereby reducing the satisfiability question for ¢ to the emptiness 
question for Ay. This construction can also be used to check the correctness of a system 
modeled as a product of timed automata against MITL-specification. 

The untiming construction for timed automata forms the basis for verification algo- 
rithms in the branching-time model also. In [1], we develop a model-checking algorithm 
for specifications written in TCTL — a real-time extension of the branching-time tempo- 
ral logic CTL of [16]. In [43], a notion of timed bisimulation is defined for timed automata, 
and an algorithm for deciding whether two timed automata are bisimilar, is given. 

Timed automata is a fairly low-level representation, and automatic translations from 
more structured representations such as process algebras, timed Petri nets, or high-level 
real-time programming languages, should exist. Recently, Sifakis et al. have shown how 
to translate a term of the real-time process algebra ATP to a timed automaton [34]. 

One promising direction of extending the process model discussed here is to incorpo- 
rate probabilistic information. This is particularly relevant for systems that control and 
interact with physical processes. We add probabilities to timed automata by associat- 
ing fixed distributions with the delays. This extension makes our processes generalized 
semi-Markov processes (GSMPs). Surprisingly, the untiming construction used to test 
for emptiness of a timed automaton can be used to analyze the behavior of GSMPs also. 
In [2], we present an algorithm that combines model-checking for TCTL with model- 
checking for discrete-time Markov chains. The method can also be adopted to check 
properties specified using deterministic timed automata [3]. 

Questions other than verification can also be studied using timed automata. For 
example, Wong-Toi and Hoffmann study the problem of supervisory control of discrete 
event systems when the plant and specification behaviors are represented by timed au- 
tomata [48]. The problem of synthesizing schedulers from timed automata specifications 
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is addressed in [15]. Courcoubetis and Yannakakis use timed automata to solve certain 
minimum and maximum delay problems for real-time systems [12]. For instance, they 
show how to compute the earliest and the latest time a target state can appear along the 


runs of an automaton from a given initial state. 
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